The ESG regulatory landscape continues to evolve despite political headwinds in some spheres. From AI governance to sustainability disclosure and increased regulatory scrutiny, businesses face an increasingly complex compliance environment.

This update highlights the most significant recent developments and what they mean for your organisation in terms of accountability, governance, evidence and responsibility.

Who is legally responsible when businesses use AI?

Why businesses remain liable for AI outputs, even when systems are third‑party

Businesses using AI in customer-facing processes need to be able to explain, monitor and stand behind the outputs of those systems: this is the new frontier of ‘governance’. The fact that an AI agent is supplied by a third party will not, by itself, move consumer-law responsibility away from the deploying business.

How UK consumer law applies to AI agents and automated decision‑making

On 9 March 2026, the CMA published guidance, alongside a detailed policy paper on how AI agents could transform consumer markets. The guidance confirms the CMA’s view that businesses bear full responsibility for AI agents’ actions in consumer law, just as they would for employees.

Companies using AI for customer service, refunds, comparison services, or marketing campaigns therefore face direct regulatory scrutiny.

The CMA’s guidance makes it clear that even where a third party designs or provides the AI agent, it is the deploying business that bears legal responsibility for any failure to comply with consumer protection laws. This fits with the initial conclusions of the UK Jurisdiction Taskforce in relation to AI harms under the private law of England and Wales, published as a consultation in January 2026.

The CMA emphasises that this means existing consumer protection law, including the Digital Markets, Competition and Consumers Act 2024 (DMCC Act), applies whether an action is taken by a human or a machine. Under the DMCC Act, the CMA has direct enforcement powers with fines of up to 10% of a company’s global annual turnover for breaches of consumer protection law.

Key compliance points from the guidance include:

• Transparency: Inform customers when they are interacting with AI;
• Training: Ensure AI agents comply with consumer law and avoid misleading statements; and
• Monitoring: Implement oversight processes with human review of AI decision-making and be prepared to refine systems quickly if problems arise.

Accountability, training and human oversight must therefore be clearly documented and understood across relevant teams, but also evidenced in the way the business actually interacts with its customers and represents itself externally.

What is “AI washing” and why regulators are challenging AI claims

Similarly to greenwashing, “AI washing” involves making exaggerated or unsubstantiated claims about AI capabilities, exposing companies to misleading statement claims and potential breaches of the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code) and the UK Code of Broadcast Advertising (BCAP Code).

The UK’s Advertising Standards Authority (ASA) has already upheld complaints on AI-related advertisements, and its AI-powered Active Ad Monitoring system is used to proactively identify non-compliant content.

Whilst the advertising codes do not yet contain AI-specific rules, existing rules apply regardless of how content is generated. Companies should ensure AI claims are legal, decent, honest, truthful, accurate and substantiated.

Questions businesses should ask before making AI‑related statements

CAP recommends that companies ask themselves the following key questions:

• Is the audience likely to be misled if the use of AI is not disclosed? In other words, what’s the mischief, if any, that the disclosure is mitigating?
• If there is a danger of the audience being misled, is the disclosure clarifying the ad’s message or contradicting it?

Marketing and product teams may want to sense‑check existing AI‑related claims to ensure they remain accurate, substantiated and consistent with regulatory and consumer expectations, particularly as the evolution of the technology – and its deployment – frequently outpaces consumer understanding.

Why sustainability reporting obligations are not going away

Why UK and EU simplification does not remove reporting risk

Businesses should not assume that political pushback or EU simplification means sustainability reporting risk has gone away. UK-listed companies may need to map existing TCFD-aligned processes against UK SRS, while groups with EU operations should revisit whether they remain in scope of CSRD or CS3D after Omnibus I.

How the Financial Conduct Authority is aligning UK reporting with the UK Sustainability Reporting Standards

What changes for companies currently reporting under the Task Force on Climate‑related Financial Disclosures

On 30 January 2026, the Financial Conduct Authority (FCA) published Consultation Paper CP26/5 which closed for responses on 20 March 2026. The paper proposed replacing the current framework, which is aligned with the Task Force on Climate-related Financial Disclosures (TCFD), with new requirements based on the UK SRS.

The UK SRS are aligned with the International Sustainability Standards Board’s (ISSB) global baseline standards (IFRS S1 and IFRS S2).

This shift reflects the disbanding of the TCFD in 2023 and the transition to a unified international reporting framework.

The FCA considered that maintaining the focus on listed companies that are subject to TCFD-aligned rules is appropriate for the current level of progress and development of climate and sustainability reporting.

It reported that the majority of these companies already have processes to report on climate-related information: the key risk is that they continue to use what the market perceives to be an outdated disclosure framework, because TCFD has been disbanded.

The proposals therefore apply to companies in the following categories, albeit with some variation between each of the categories:

• Commercial companies (UKLR 6);
• Secondary listing (UKLR 14);
• Depositary receipts (UKLR 15);
• Non-equity shares and non-voting equity shares (UKLR 16);
• Transition (UKLR 22).

Key gaps businesses should review ahead of 2027 implementation

As the FCA aims to limit the scope to companies already in-scope for TCFD-style reporting, the main risk is divergence between the current standards and the new: companies should undertake a gap analysis to determine whether their current disclosure processes map across to the new requirements.

In undertaking this analysis, reference should also be had to the final version of the UK SRS, which was published by the Department for Business and Trade in February 2026 (in the middle of the FCA’s January 2026-March 2026 consultation, which used the draft versions of UK SRS).

The key requirements under the FCA’s January 2026 proposals include:

• Mandatory climate-related disclosures (against UK SRS S2), covering governance, strategy, risk management, metrics and targets;
• Scope 3 emissions reporting on a “comply or explain” basis;
• Disclosure of whether companies have published a climate transition plan, or an explanation of why they haven’t. The FCA has not ruled out the possibility of mandatory transition plans in the future but has indicated this decision sits with the UK Government;
• Wider sustainability (non-climate) disclosures against UK SRS S1 on a “comply or explain” basis; and
• Disclosure on whether a company has obtained third-party assurance on sustainability disclosures.

These positions are subject to a series of transitional rules and reliefs, some of which require the company to specifically opt-in.

The FCA aims to publish its policy statement with final rules in autumn 2026, with the new rules coming into force from 1 January 2027.

Organisations already reporting under older frameworks may benefit from an early gap analysis to identify where disclosures may need to evolve ahead of implementation.

How EU sustainability reporting requirements are changing under Omnibus I

The EU’s Omnibus I Directive (EU) 2026/470 entered into force on 18 March 2026. It significantly narrows the scope of sustainability reporting and due diligence requirements with the aim of boosting EU competitiveness.

How the revised Corporate Sustainability Due Diligence Directive applies to a narrower group of businesses

The legislation simplifies the EU directives on Corporate Sustainability Due Diligence (CS3D) and Corporate Sustainability Reporting (CSRD). In high-level terms, the key changes are as follows:

Corporate Sustainability Due Diligence Directive (CS3D)

• EU organisations with more than 5,000 employees and EUR 1.5 billion net turnover;
• non-EU organisations with more than EUR 1.5 billion net turnover in the EU; and
• EU and non-EU organisations with franchising or licensing arrangements in the EU, more than EUR 275 million net global turnover, and more than EUR 75 million in franchise royalties.

The directive will also apply to ultimate parent companies where the group meets the above thresholds.

• Scope: Reduced due diligence requirements, but businesses must still take a risk-based approach and therefore exercise judgement rather than operating checklists. Climate change mitigation transition plans are no longer mandatory under the CS3D.
• Enforcement: Fines cannot exceed 3% of the organisation’s net global turnover.
• Transposition and implementation: The deadline to transpose the Directive has been delayed until 26 July 2028, and the requirements will not apply until 26 July 2029.

Corporate Sustainability Reporting Directive (CSRD)

• EU organisations and non-EU issuers with more than 1,000 employees and EUR 450 million net turnover; and
• non-EU parent organisations with more than EUR 450 million net turnover in the EU and an EU subsidiary or a branch in the EU with more than EUR 200 million net turnover.

Organisations below the new thresholds may be exempted from the relevant CSRD reporting requirements for financial years starting before 1 January 2027 and will not be in scope under the revised thresholds for financial years starting on or after 1 January 2027.

• Exemptions: There is a new exemption for financial holding undertakings. The existing subsidiary reporting exemption has been extended. Undertakings with fewer than 1,000 employees will be allowed to refuse to provide information that exceeds the voluntary SME standard.
• Scope: Sector-specific standards have been removed, and the rights of organisations to withhold information have been strengthened.

Simplification of these requirements should help reduce internal complexity and administrative requirements – particularly for businesses that have extensive cross-border operations and must therefore comply with regimes both within and outside the EU.

Whether the changes strike the right balance in terms of broader sustainability aspirations obviously remains to be seen. There is of course nothing stopping businesses from going beyond the mandatory requirements should they choose to do so.

Why greenwashing risk is increasing despite regulatory simplification

Regulators, investors, and consumers are scrutinising the accuracy of environmental claims with increasing rigour. This includes the credibility of transition plans, product-level sustainability credentials, and consistency of ESG commitments over time.

Companies that scale back earlier commitments may face allegations of misleading conduct (see our previous blog on this topic here: Greenwashing Compliance: ASA Rulings From 2025 and What Businesses Must Prepare for in 2026).

Businesses reviewing sustainability messaging may wish to consider whether current claims remain aligned with historic commitments and available evidence.

What businesses should review in 2026

The regulatory developments outlined above highlight how ESG risk is increasingly linked to the way that decisions are made, evidenced and communicated across multiple facets of a business. The challenge is less about understanding individual rules and more about ensuring consistency between regulatory requirements, internal governance, business behaviours and consumer outcomes.

In practice, this means reviewing whether existing processes remain fit for purpose as expectations evolve, particularly where new technologies, cross‑border operations or public commitments are involved.

We support businesses across a range of sectors with issues including:

• AI governance frameworks and consumer-law risk assessments
• AI, ESG and sustainability marketing-claim reviews
• UK SRS, CSRD and CS3D scoping and reporting gap analysis

“ESG” isn’t just one area of law. It is a complex interaction of legal, political, regulatory and reputational issues spanning the internal life of a business and its impact on the world around it.

We reflect that in our practice.

Our ESG team is distributed across all of our practice areas and coordinated by people with board-level in-house experience. This allows us to understand how these issues operate in practice and to provide joined‑up support that reflects commercial realities as well as regulatory expectations.

If you would like to discuss how these developments may apply to your organisation, please get in touch for a no obligation discussion.