Author: Mehmed

  • Board Liability in the Age of ESG Assurance

    Board Liability in the Age of ESG Assurance

    The board approved the sustainability report.

    Management signed the assertions.

    Six months later, the assurance practitioner asked one question.

    No one in the room could answer it.

    The report was accurate.

    The system that produced it was not defensible.

    That distinction is now a board-level problem.

    The Shift That Most Boards Have Not Yet Made

    For years, sustainability reporting was treated as a disclosure exercise.

    Collect the data. Prepare the report. Meet the deadline.

    Boards reviewed outputs.

    They rarely examined the systems that produced them.

    That approach was manageable when assurance expectations were limited and sustainability information existed outside the formal accountability structure of the organisation.

    That is no longer the case.

    As the Corporate Sustainability Reporting Directive embeds sustainability information into formal corporate reporting, and as the International Standard on Sustainability Assurance establishes the reference point for assurance engagements, the position of the board changes fundamentally.

    Sustainability information is no longer an operational matter reviewed by a specialist team.

    It is a governance matter for which the board is accountable.

    What Board Approval Actually Means

    Many directors still experience ESG report approval as a procedural step.

    Sign here. Move to the next agenda item.

    The legal and operational reality is different.

    When a board approves a sustainability report, it is not simply endorsing a document.

    It is asserting that the information contained in that document was generated, verified and preserved through a system capable of withstanding independent scrutiny.

    That assertion has consequences.

    If the system behind the report cannot demonstrate effective controls over data origin, verification procedures, governance responsibilities and evidence preservation — the board has approved something it cannot defend.

    And under mature assurance frameworks, that gap does not remain invisible for long.

    The Question Boards Are Not Asking

    Boards regularly discuss regulatory risk.

    They discuss reputational risk.

    They discuss financial exposure.

    They rarely ask the question that matters most in an assurance environment:

    If an assurance practitioner examined the system that produced this report — not the report itself — could we demonstrate that every material statement was generated through a controlled, verifiable and defensible process?

    That is not a reporting question.

    It is a governance question.

    And it belongs on the board agenda before the report is approved — not after scrutiny begins.

    Personal Exposure — Where Governance Becomes Individual

    Board liability in the context of ESG assurance is not abstract.

    When a sustainability statement becomes the subject of regulatory scrutiny, investor challenge or litigation, the inquiry does not stop at the level of the legal entity.

    It moves toward the individuals who approved the disclosure.

    The question shifts from:

    “Did the organisation get this wrong?”

    to:

    “Who approved a statement they could not substantiate?”

    Directors who have relied on the assumption that corporate liability shields personal accountability are encountering a different reality.

    As assurance standards mature and sustainability disclosures become increasingly material to investment decisions, regulatory compliance and legal exposure — the personal dimension of board approval becomes impossible to ignore.

    That responsibility cannot be delegated to the sustainability team.

    It cannot be delegated to software.

    It cannot be delegated to external consultants.

    It sits with the governance structure that approved the report.

    What Assurance-Ready Governance Actually Requires

    Assurance readiness is not achieved by possessing audit trails and documented workflows.

    Those are necessary. They are not sufficient.

    A board that is genuinely prepared for the assurance environment must be able to demonstrate that the organisation operates a control environment — not merely a reporting workflow.

    That means:

    Information is generated through defined processes with clear ownership.

    Data is subject to verification procedures designed to identify errors and unsupported assumptions.

    Evidence is preserved in a demonstrable state, protected from unauthorised alteration.

    Governance responsibilities, approvals and accountability mechanisms are formally established and documented.

    Without these elements, the board is approving a report it cannot defend.

    With them, approval becomes an informed governance act — not a procedural formality.

    The Governance Question for 2027

    The organisations that navigate this period successfully will not necessarily be those that produce the most comprehensive sustainability reports.

    They will be the organisations whose boards understood one thing early:

    Approving a report and being able to defend it are not the same act.

    The first requires a signature.

    The second requires a system.

    As assurance environments continue to mature, the question facing every board is no longer whether the report appears credible.

    It is whether the governance structure behind it can demonstrate why it should be.

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

  • Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company stated that its supply chain was “fully aligned with sustainability standards.”

    The prosecutor asked a single question.

    There was no answer.

    This is no longer a story about poor communication.

    It is a story about how one sentence in marketing material can become evidence in a legal proceeding.

    Greenwashing has changed its address

    Until now, greenwashing was mainly a reputational issue.

    A journalist asks a question.
    An NGO publishes a report.
    The company apologizes and changes its PR agency.

    The Corporate Sustainability Due Diligence Directive ends that story.

    The directive does not ask companies to be honest in marketing.

    It asks something harder.

    To be able to prove - at any moment - how a claim was formed, who approved it, and on what verifiable facts it is based.

    Not only within the company.

    Across the entire value chain.

    When a company publicly claims it complies with sustainability standards but cannot show evidence of due diligence behind that claim, we are no longer talking about a marketing error.

    We are talking about a systemic failure.

    And systemic failures have legal consequences.

    From reputational to legal risk

    This is the point that most Balkan exporters to the EU market have not yet understood.

    The Corporate Sustainability Due Diligence Directive introduces civil liability for damage caused by failures in value chain due diligence.

    But the practical consequences go much further.

    When it is established that a public sustainability statement was false, and the company did not have a system capable of preventing or detecting it, the door opens to:

    • civil lawsuits from affected parties in the value chain
    • administrative penalties that can reach a significant percentage of global annual turnover
    • potential criminal liability in jurisdictions where false public statements, misleading business practices, or failure of oversight can trigger existing criminal law mechanisms

    For an exporter from the Balkans, this is not an abstract threat from Brussels.

    This is a risk that travels through contracts.

    With every EU partner who is required to apply due diligence across their entire supply chain - including you.

    Why “good faith” is legally irrelevant

    Directors often believe they are protected by good intentions.

    “We believed the supplier was compliant.”
    “We did not know about the violation.”
    “We acted in good faith.”

    Legally speaking, good faith without a documented process is not a defense.

    It is an admission that no system existed.

    The Corporate Sustainability Due Diligence Directive does not ask whether you believed everything was fine.

    It asks:

    “Did you have a process that could confirm it?”

    With documented steps.
    Identified risks.
    Mitigation measures.
    And evidence that can be shown to an independent body.

    If that process does not exist, the claim of “belief” stops being protection.

    It becomes evidence of negligence.

    Personal exposure of directors - when greenwashing stops being a PR issue

    This is where greenwashing changes category.

    When a public sustainability claim becomes the subject of an investigation, the focus does not stop at the company.

    It shifts toward the individual who:

    • approved the claim
    • signed the report
    • presented the company as compliant

    This is the moment when the question changes from:

    “Did the company make a mistake?”

    to:

    “Who personally approved a statement that turned out to be false?”

    Directors who are used to responsibility staying at the level of the legal entity are facing a new reality:

    Responsibility moves upward to them personally once it is established that no adequate due diligence process existed.

    What this means for Balkan exporters - today

    If your company exports to the EU, directly or through an intermediary, your partner is likely already required to obtain evidence of your due diligence process.

    Not a statement. Evidence.

    The question every board should ask today:

    If your public sustainability claim were challenged tomorrow - do you have a documented process that identified, assessed, and addressed the risk before it became harm?

    If the answer is unclear, the problem is not marketing.

    The problem is the system architecture behind every public claim.

    Greenwashing is no longer a communication style issue

    The 2027 market will not punish companies that poorly communicate sustainability.

    It will punish companies that cannot prove that behind every claim there was a process capable of verifying it - before someone else does.

    Greenwashing is no longer a reputational issue.

    It has become a test of whether management can prove it knew - or should have known - what stands behind the claim it approved.

    And in law, that difference often decides between mistake and liability.

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

  • ISSA 5000 Will Not Test Your ESG Report - It Will Test Your System

    ISSA 5000 Will Not Test Your ESG Report - It Will Test Your System

    For years, sustainability reporting has been evaluated primarily through the lens of disclosure.

    Organisations focused on whether required metrics were reported, whether narratives were coherent, and whether sustainability statements aligned with applicable reporting frameworks.

    That era is ending.

    As assurance expectations mature and the International Standard on Sustainability Assurance (ISSA 5000) becomes the reference point for assurance engagements, the focus is shifting away from what organisations disclose and toward how that information is generated, controlled, validated and preserved.

    The distinction may appear subtle.

    In practice, it changes everything.

    The Traditional ESG Mindset

    Most ESG programmes evolved around reporting obligations.

    Data was collected from multiple departments, consolidated in spreadsheets or reporting platforms, reviewed by sustainability teams and ultimately transformed into disclosures.

    The primary objective was completeness.

    Can we gather the information?

    Can we prepare the report?

    Can we meet the deadline?

    In this environment, systems were designed to facilitate reporting workflows.

    They were not necessarily designed to create defensible evidence.

    As long as disclosures appeared reasonable and assurance expectations remained limited, that distinction often went unnoticed.

    ISSA 5000 changes the equation.

    The Question Is No Longer About the Report

    Historically, organisations have been accustomed to questions such as: 


    Does the disclosure comply with the framework?


    Is the reported information consistent?


    Can management explain the methodology?


    These questions focus on outputs.

    ISSA 5000 introduces a different perspective.

    The assurance practitioner must obtain sufficient appropriate evidence regarding sustainability information.

    That requirement inevitably shifts attention toward the underlying system.

    The real question becomes:

    Can the organisation demonstrate effective control over the generation, verification and preservation of sustainability information?

    This is not a reporting question.

    It is a systems question.

    Assurance Begins Long Before the Report

    Many organisations still view assurance as a review conducted near the end of the reporting cycle.

    That assumption is increasingly problematic.

    Evidence quality is determined at the moment information is generated, not when it is reported.

    If source data lacks ownership, validation logic, preservation controls or documented procedures, no amount of late-stage review can fully compensate for those weaknesses.

    Assurance therefore begins upstream.

    It begins with:

    • Data origin
    • Control design
    • Validation procedures
    • Governance responsibilities
    • Evidence preservation

    The report merely reflects the effectiveness of those elements.

    Why Architecture Matters

    Most ESG systems were built to consolidate disclosures.

    Very few were built to preserve evidence.

    This distinction becomes critical under assurance.

    A reporting platform may successfully aggregate information from dozens of sources.

    However, assurance requires more than aggregation.

    It requires organisations to demonstrate:

    • How information entered the system
    • Who verified it
    • Which controls were applied
    • Whether changes were tracked
    • Whether evidence was preserved

    Whether management can demonstrate the state of information at the time of attestation

    Without structured evidence architecture, organisations may possess data but lack defensible proof.

    That gap often remains invisible until scrutiny occurs.

    From Workflow to Control Environment

    The operational implication of ISSA 5000 is straightforward.

    ESG systems can no longer be viewed as reporting tools alone.

    They must function as control environments.

    A mature sustainability information system should be capable of demonstrating:

    • Generation Controls: Information is produced through defined processes with clear ownership and documented methodologies.
    • Verification Controls: Data is subject to review procedures designed to identify errors, inconsistencies and unsupported assumptions.
    • Preservation Controls: Evidence is protected from unauthorised alteration and maintained in a demonstrable state.
    • Governance Controls: Responsibilities, approvals and accountability mechanisms are formally established and documented.

    These controls collectively form the foundation of assurance readiness.

    Audit Readiness Is Not Defensibility

    Many organisations believe they are prepared because they possess audit trails and documented workflows.

    Those capabilities are important.

    They are not sufficient.

    An audit trail records activity.

    Defensibility requires evidence preservation.

    Audit readiness assumes cooperation.

    Defensibility anticipates scrutiny.

    As sustainability disclosures become increasingly relevant to investors, regulators and litigation risk, organisations must consider not only whether information can be reviewed, but whether it can be defended.

    The difference is significant.

    One supports reporting.

    The other supports accountability.

    The Governance Dimension

    Perhaps the most overlooked implication of ISSA 5000 is governance.

    Boards approve sustainability reports.

    Management signs assertions.

    These actions transform sustainability information from an operational matter into a governance matter.

    The question facing leadership is therefore not:

    “Can we produce the report?”

    But:

    “Can we demonstrate that the information was generated, verified and preserved under effective controls?”

    That responsibility cannot be delegated to software.

    It cannot be delegated to consultants.

    Ultimately, it belongs to the organisation’s governance structure.

    The Future of Assurance

    The organisations that will navigate the next phase successfully are not necessarily those that disclose the most information.

    They will be the organisations that understand how evidence is created, controlled and preserved.

    ISSA 5000 is not simply raising expectations for sustainability reports.

    It is raising expectations for sustainability systems.

    And as assurance environments continue to mature, the decisive question will not be whether a report appears credible.

    It will be whether the system behind it can demonstrate why it is.

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

  • Who Signs the ESG Report in 2027 – and Do They Understand What They Are Signing?

    Who Signs the ESG Report in 2027 – and Do They Understand What They Are Signing?

    Most companies still view ESG as a compliance project.

    That is a dangerous misconception.

    Because the moment a sustainability report becomes part of formal corporate reporting, the question is no longer:

    “Who prepared the data?”

    The question becomes:

    “Who signed that it is accurate?”

    And that is precisely where the new era of management accountability begins.

    ESG Is No Longer an ESG Team Issue

    The Corporate Sustainability Reporting Directive (CSRD) did not merely expand the scope of disclosures.

    It changed the location of responsibility.

    Sustainability is no longer treated as a separate function.

    It becomes part of corporate governance.

    In other words:

    ESG data enters the sphere of responsibility of management boards and supervisory boards.

    And entirely different rules apply there.

    Effort is not evaluated.

    Evidence is.

    What Does Board Attestation Actually Mean?

    Many directors still perceive an ESG report as a document prepared by the sustainability team.

    From a legal perspective, the situation looks different.

    When management approves a report, it implicitly confirms that it believes in the reliability of the data contained within it.

    That does not mean a director must personally collect every piece of data.

    But it does mean they must have reasonable assurance that the system producing it functions properly.

    This is exactly why regulatory focus is increasingly shifting from the content of the report to the system that generates it.

    The Most Dangerous Question an Auditor Can Ask

    There is one question capable of collapsing an entire ESG narrative:

    “How do you know this data is accurate?”

    Not:

    “Where is the number?”

    But:

    “How was it created?”

    If an organization cannot demonstrate:

    • the source of the data
    • the responsible person
    • the methodology
    • the control points
    • the audit trail

    then the problem is not the data.

    The problem is the system.

    And when the system fails, the credibility of the report fails with it.

    Personal Exposure of Directors

    Boards frequently discuss regulatory risk.

    They discuss personal exposure far less often.

    Yet this is where the greatest change is taking place.

    When an ESG claim becomes the subject of regulatory scrutiny, an audit, or a dispute, attention naturally shifts to the person who approved its publication.

    The question is no longer:

    “Who made the mistake?”

    But:

    “Who assumed responsibility?”

    At that moment, ESG ceases to be an operational issue.

    It becomes a matter of professional accountability.

    A Document Is Not Evidence

    Many organizations have hundreds of ESG documents.

    Policies. Procedures. Reports. Presentations.

    But a document is not evidence.

    Evidence exists only when it is possible to demonstrate:

    • the origin of the information
    • the integrity of the information
    • continuity of control
    • the ability to independently verify it

    Without that, a document remains only a claim.

    The Question Every Board Should Be Asking Today

    If tomorrow you had to defend a single ESG claim before an auditor, regulator, or investor:

    Could you prove how it was created?

    If the answer is uncertain, the problem is not the report.

    The problem is the system architecture.

    Because in 2027, the market will not reward the longest ESG reports.

    It will reward organizations that can demonstrate that every claim within them was created through a controlled, verifiable, and defensible process.

    The ESG of the future is not a question of narrative.

    It is a question of the signature beneath it.

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

  • Do You Export to the EU?

    Do You Export to the EU?

    Your ESG system is already under review – even if you are not subject to CSRD. Many companies in the Balkans still believe: “We are not subject to CSRD. It only applies to large EU companies.” Formally – correct. From a market perspective – completely irrelevant. If you export to the EU, your ESG system is already being assessed. Not by regulators. By your customers.

    You are losing revenue before you even understand why. EU buyers have changed the way they evaluate suppliers. Tender documentation and ESG due diligence questionnaires increasingly require:

    • ESG policies and procedures
    • Emissions data (especially Scope 3)
    • Supply chain data
    • Proof of implemented due diligence processes
    • Management sustainability statements

    This is no longer a reputational issue. It is a market filter. If you cannot demonstrate control over this information – you are not a reliable supplier. And no one will tell you ESG is the reason. You will simply lose the tender.

    Your customer is the obligated party. You are part of their responsibility.

    Under the Corporate Sustainability Due Diligence Directive, large EU companies are required to identify and manage risks across their entire value chain.

    If you cannot provide reliable and verifiable data:

    • the risk transfers to them
    • the responsibility remains with their management
    • reputational exposure increases

    And no serious management team will accept a risk it cannot control. That is why ESG is no longer your internal issue. It is part of their fiduciary duty.

    This is simultaneously a revenue risk and a personal risk.

    For the owner:

    If you cannot prove the reliability of ESG data, you lose access to the EU market. That is a direct impact on revenue, value multiplier, and the long-term sustainability of the company.

    For management:

    When you sign a sustainability statement or confirm ESG data to a customer, that signature is no longer a formality. It is the assumption of professional – and potentially legal – responsibility. And often without any guarantee that the system behind that signature actually exists. The question is not whether you have the data. The question is whether you can prove how it was created, who controlled it, and whether it was preserved without alteration. The distinction between a document and evidence becomes critical.

    The key question that must be asked now – not when the tender begins

    If an EU customer sends you an ESG questionnaire tomorrow, can you:

    • Provide the requested information on time?
    • Explain the methodology of data collection?
    • Show control points and responsible persons?
    • Take responsibility for its accuracy without operational panic?

    Most companies have fragmented data. Very few have system architecture. And architecture is not built under deadline pressure.

    The cascading effect has already begun

    The Corporate Sustainability Due Diligence Directive is moving down the value chain faster than expected. Companies in the textile, wood-processing, metal, and auto-component sectors across the Balkans are already feeling it.

    The wrong question is:

    “Are we subject to CSRD?”

    The real question is:

    “Is our system robust enough to protect revenue – and the signature?”

    System before reporting

    As sustainability reporting frameworks - including those introduced under the Corporate Sustainability Reporting Directive - move toward progressively stronger assurance expectations, systems will not be evaluated only on outputs.

    They will be evaluated on architecture.

    When ESG data flows across departments, suppliers, spreadsheets, external consultants and digital tools, integrity becomes fragmented.

    Audit logs remain.

    Control logic often does not.

    When Governance Meets Evidence

    PROOFA™ Evidence Architecture™ was developed precisely for this transition – as the first legal-operational instrument connecting forensic evidence logic, ESG requirements, and obligations under the Corporate Sustainability Due Diligence Directive into one structure of accountability and defensibility. Not as software. Not as a marketing ESG tool. As an operational instrument that allows management to sign – knowing that a defensible structure exists behind that signature.

    Because the market no longer asks:

    “Do you have an ESG document?”

    It asks:

    “Can you prove it can be trusted?”

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

  • Audit Trail Is Not a Chain of Custody

    Audit Trail Is Not a Chain of Custody

    Why Most ESG Systems Are Structurally Unprepared for What Comes Next

    Most companies believe they are ESG-ready because their system has an audit trail.

    That belief is dangerously incomplete.

    An audit trail records activity.
    A chain of custody protects evidence.

    Those are not the same thing.

    And as ESG reporting moves toward higher levels of assurance under ISSA 5000, this distinction stops being technical - and becomes legal.

    The Illusion of Control

    An audit trail typically shows:

    • who entered data
    • who edited it
    • when changes were made

    This creates a perception of transparency.

    But transparency is not integrity.

    A forensic chain of custody answers different questions:

    • Was the original data preserved?
    • Could it be altered without detection?
    • Was access restricted and documented?
    • Can the organisation demonstrate the state of the data at the moment management signed the report?

    Most ESG platforms were built for workflow efficiency and disclosure consolidation.

    They were not built for evidentiary defensibility.

    That difference rarely matters - until scrutiny begins.

    What Changes Under ISSA 5000

    ISSA 5000 shifts the focus from narrative coherence to control demonstration.

    The question shifts from:

    “Does this disclosure look consistent?”

    to:

    “Can the organisation demonstrate effective control over the generation, verification and preservation of this information?”

    As sustainability reporting frameworks - including those introduced under the Corporate Sustainability Reporting Directive - move toward progressively stronger assurance expectations, systems will not be evaluated only on outputs.

    They will be evaluated on architecture.

    When ESG data flows across departments, suppliers, spreadsheets, external consultants and digital tools, integrity becomes fragmented.

    Audit logs remain.

    Control logic often does not.

    When Governance Meets Evidence

    Board members sign sustainability reports.

    Management asserts that controls are in place.

    But here is the structural question rarely asked at board level:

    Can we demonstrate that our ESG data is legally defensible - not merely traceable?

    Traceability shows movement.
    Defensibility shows preservation.

    If a sustainability claim is challenged - by regulators, investors or in litigation - the issue will not be whether the data was entered in good faith.

    The issue will be whether the organisation can prove that the information was:

    • generated under defined controls
    • verified through documented procedures
    • protected from silent alteration
    • preserved in a demonstrable state at the time of attestation

    That requires architecture.

    Not reporting dashboards.

    The Hidden Exposure

    As sustainability disclosures integrate into governance and director oversight duties under instruments such as Directive 2013/34/EU, ESG systems become part of corporate accountability infrastructure.

    This is no longer an IT question.
    It is not a communications question.

    It is a governance question.

    Because once management signs, assertions move from operational to personal.

    And personal exposure is rarely mitigated by an audit trail alone.

    The Structural Vulnerability

    We are entering a phase where:

    • ESG disclosures are assured, not merely published.
    • Sustainability claims are litigated, not merely criticised.
    • AI tools assist in generating data and narratives - while responsibility remains human.

    In this environment, weak evidence architecture is not a technical inconvenience.

    It is a structural vulnerability.

    Most organisations do not recognise the gap - because their systems have never been tested under adversarial conditions.

    Yet.

    The Audit Assumption

    External assurance assumes good faith and cooperation.

    The auditor reviews. The organisation responds. A qualified opinion is issued. The process ends.

    But the scenarios that create real organisational exposure do not operate on those terms.

    A regulatory investigation does not assume good faith.
    An investor claim does not assume cooperation.
    A greenwashing proceeding does not ask whether the report looked consistent when it was filed.

    It asks whether the organisation can prove - retroactively, under pressure, with an opposing party actively looking for failures - that every data point was generated under defined controls, protected from alteration, and preserved in a demonstrable state.

    Audit readiness and adversarial defensibility are not the same thing.

    Most organisations have designed for the first.

    Almost none have designed for the second.

    From Traceability to Defensibility

    Most ESG systems were designed to produce reports.

    Very few were designed to withstand scrutiny.

    PROOFA™ was developed as a legal-operational instrument integrating forensic standards, ESG disclosure logic under the Corporate Sustainability Reporting Directive, and Evidence Architecture™ methodology into one structured framework.

    It is not reporting software.

    It is a defensibility instrument.

    Its purpose is not to generate sustainability claims - but to structure how ESG data is preserved, verified and attested in a manner capable of withstanding assurance, investigation or dispute.

    Because in the assurance environment shaped by ISSA 5000, the decisive question will not be whether your report reads well.

    It will be whether your system holds.

    Does your organisation have an audit trail - or a true forensic chain of custody for ESG data?

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

  • U.S. Supreme Court vs. the Executive Branch: what Balkan exporters need to know

    U.S. Supreme Court vs. the Executive Branch: what Balkan exporters need to know

    Analysis of the decision Learning Resources, Inc. v. Trump and its operational consequences

    What happened?

    On February 20, 2026, the Supreme Court of the United States issued its decision in the case Learning Resources, Inc. v. Trump, invalidating the tariff regime that the presidential administration had introduced under the International Emergency Economic Powers Act (IEEPA). In a 6–3 ruling, the Court held that tariffs are not a regulatory instrument—they are a form of taxation. The power of taxation under the U.S. Constitution belongs to Congress, not the executive branch, and cannot be derived from a general statutory authorization to manage emergencies.

    This is not a narrow trade decision. It is a constitutional ruling on the limits of executive power in the economic sphere.

    The Court applied the Major Questions Doctrine: where executive action carries economic and political significance of vast scale—here, a tariff regime generating between $160 and $175 billion in revenue—clear and explicit congressional authorization is required. General language in emergency legislation does not meet that threshold.

    What followed?

    On March 4, 2026, the U.S. Court of International Trade (CIT) ordered U.S. Customs and Border Protection (CBP) to initiate the process of refunding unlawfully collected duties. CBP is developing an electronic refund system called CAPE within its Automated Commercial Environment (ACE), with an interim deadline of April 20, 2026.

    The administration did not withdraw. It immediately introduced new tariffs—this time under Section 122 of the Trade Expansion Act of 1962, which constitutes clear congressional authorization. The tariff pressure therefore remains, only under a different legal basis.

    The government has until May 4, 2026 to file an appeal against the CIT order. If the appeal succeeds, the right to refunds could be limited only to the parties that initiated legal proceedings.

    Who is entitled to a refund—and why the answer is not simple?

    This is the point where Balkan exporters most often make incorrect assumptions.

    The right to file a claim in the CAPE system belongs exclusively to the importer of record in the United States—the U.S. legal entity that physically imported the goods into the country and paid the duty to CBP. That is your American buyer, distributor, or partner, not your company.

    A Balkan exporter has no direct right to a refund, except in one scenario: if, by contract, it assumed the role of the party bearing the customs burden.

    Here, the contractual structure is decisive.

    Incoterms are standardized rules of the International Chamber of Commerce that determine who bears costs and risks in international sales. Two clauses are operationally relevant:

    • DDP (Delivered Duty Paid) – the seller, i.e. your company, bears all costs including duties in the destination country. If you delivered under DDP in the period April 2025 – February 2026, you effectively bore the customs burden, either through pricing or directly.
    • DAP (Delivered at Place) – the goods arrive at the agreed location, but the duty in the U.S. is paid by the buyer. The customs burden is on the American partner.

    If your American partner operated under DAP, they bore the duty and now potentially have the right to a refund. This does not mean you were harmed in a legal sense. But it does mean that in negotiating new contractual terms, you possess a relevant fact about your partner’s economic position.

    Three operational steps

    Step 1: Review of contractual structure

    Review all contracts concluded or active in the period April 2025 – February 2026. Determine which Incoterms were used and who was contractually responsible for customs costs. This is not an administrative step—it is the legal basis for everything that follows.

    Step 2: Review of deadlines

    For entries that have not yet been liquidated: it is possible to file a post-summary correction directly with CBP. For entries that have been liquidated and where liquidation is not final: it is possible to file a protest under 19 U.S.C. § 1514. These deadlines run regardless of whether your American partner is taking action. If you miss the deadline, the right expires.

    Step 3: Contractual mechanism for the future

    The Learning Resources decision does not guarantee stability of the tariff environment. The administration immediately applied an alternative legal basis for new tariffs. New contracts must include clauses that clearly allocate customs risk and provide a mechanism for adjustment in case of regulatory change—regardless of which party bears the burden in a specific transaction.

    The broader picture

    The Learning Resources decision has implications that go beyond trade law. The U.S. Supreme Court has set a standard: the executive branch cannot assume core legislative powers by invoking general emergency authorities, even in the field of foreign economic policy. That principle—that economic measures of vast scope require clear legislative authorization—also resonates in the European regulatory space, particularly in the context of delegated acts and the implementation of the AI Act.

    For lawyers advising clients with export exposure to the U.S., this is the moment to review not only contractual clauses, but also the overall allocation of regulatory risk in existing and future arrangements.

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

  • CSRD 2026: The Omnibus I Shift and the Standard of Due Diligence

    CSRD 2026: The Omnibus I Shift and the Standard of Due Diligence

    Beyond compliance: why Evidence Architecture is now a legal necessity - and a personal risk for every director who signs.

    Most boards think Omnibus I bought them time. It didn’t. It transferred the risk - from the regulator to the director personally. Here is what a rigorous legal analysis of the March 2026 threshold changes actually reveals.

    1. The Extraterritorial Reality of the Supply Chain

    On March 19, 2026, the EU’s Omnibus I package raised CSRD reporting thresholds to companies with over 1,000 employees and turnover exceeding €450 million. The legislator narrowed the mandatory scope. The market did not follow.

    The legal obligation to report may be bounded by thresholds. The contractual obligation to provide data is not.

    If your German, Austrian, or Italian partner is CSRD-obligated -and they are - every gram of their sustainability burden travels downstream via contract. Whether you operate from Warsaw, Podgorica, Beograd, Zagreb, USA, Seoul, or São Paulo, the question has shifted permanently:

    The core legal question is no longer about the mandate to report. It is about the standard of proof.

    Boards that interpreted the threshold increase as a reprieve misread the signal entirely. The compliance perimeter contracted. The evidentiary expectation did not.

    2. Evidence Architecture: The Forensic Standard

    Sustainability data is completing a transition that began years ago: from corporate communication to legal evidence.

    Across jurisdictions, a consistent pattern emerges in legal and audit practice: auditors do not challenge the data. They challenge the system that produced it.

    This is what I define as Evidence Architecture - the systematic design of audit trails that can withstand not just regulatory review, but legal scrutiny. An Excel spreadsheet or a PDF without a verifiable chain of custody does not meet this standard. It is not a compliance gap. It is a liability.

    What the Forensic Standard Requires:

    • Digital Chain of Custody - A traceable, time-stamped record from the point of data origin to final disclosure. Not a summary. A trail.
    • Methodological Consistency - Q1 data collection must be defensibly identical to Q4. Inconsistency is the first crack every auditor exploits.
    • Independent Verifiability - Data that can withstand third-party assurance and, where necessary, legal scrutiny. If it cannot be verified externally, it cannot be defended internally.

    3. Governance and the Personalization of Liability
    This is the conversation most boards are not having - and should be.

    Under the CSRD framework, sustainability reporting is elevated to board-level accountability. This is not rhetorical. It is structural. Directors who sign off on ESG disclosures that lack a robust evidentiary basis may be exposing themselves to regulatory sanctions, civil liability, and reputational consequences that follow individuals - not just organizations.

    When a sustainability claim fails audit, the question shifts from what went wrong to who authorized it. In the CSRD context, that person has a name on a board resolution.

    The legal framework is clear: if ESG cannot be substantiated through a designed system of proof, it represents a point of significant professional and legal exposure for those who signed it.

    4. The Value-Chain Cap: A Protection Most Suppliers Don’t Know Exists
    One of the most significant - and most overlooked - provisions of the Omnibus I package is the Value-Chain Cap.

    This provision establishes that large EU entities cannot demand sustainability data from smaller suppliers that exceeds the voluntary SME standards arriving in July 2026. It is a genuine statutory protection. And the majority of non-EU suppliers operating in EU supply chains are entirely unaware of it.

    They are overdelivering on data they are not legally obligated to provide, while underdelivering on the specific, verified data their partners actually require - creating simultaneous risks of unnecessary operational disclosure and continued liability exposure from unverified claims.

    Legal Design allows us to map these boundaries clearly: to identify precisely what you must not provide, and to deliver what you do provide with forensic precision. This is not a documentation exercise. It is a rights exercise.

    5. Legal Design as Operational Infrastructure
    The role of the modern lawyer is not to produce more complexity. It is to make compliance possible, visible, and defensible.

    Legal Design Thinking translates regulatory obligation into operational systems - visual, process-driven architectures where every data point in a sustainability disclosure has a clear, validated, auditable origin. Not hundred-page manuals that no one reads. Systems that employees can actually use and that auditors cannot dismantle.

    In the CSRD era, the primary objective is not merely to report. It is to ensure that every disclosure is rooted in a designed system of truth.

    Integrity Over Narrative. Regulations are subject to political and economic cycles. The structural shift toward verifiable accountability is not. The window created by Omnibus I threshold adjustments should be read precisely as that - a window, not an exit.

    The organizations that will lead in this era are not those with the most elaborate sustainability narratives. They are the ones who can answer one question, instantly, from any point in their supply chain:

    “Where did this number come from - and who validated it?”

    The window is open. The question is whether you are building a system - or just a story.

    Integrity in reporting is not found in the narrative. It is found in the evidence that supports it.

    LDT ESG CHECKLIST 2026 CSRD 2026 BLUEPRINT: ESG Proof Architecture

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

  • CSRD 2026 i Balkan

    CSRD 2026 and the Balkans: Postponement Is Not Relief

    Why proof has become the new currency - and how Balkan companies can win in a game whose rules have just changed.

    While Balkan directors and compliance officers were waking up with their morning coffee at the beginning of March, a decision was made in Brussels that made many breathe a sigh of relief - and the wiser ones think deeply. This change comes through the so-called Omnibus I package, through which the European Union simplifies rules related to sustainability reporting. The directive entered into force on March 19, 2026 and drastically raised the thresholds for CSRD reporting. If you think this is the “end of the headache” - you are mistaken.

    1. The big threshold cleaning: Who's out, who's in?

    The new thresholds are high: companies with more than 1,000 employees and turnover exceeding 450 million euros. For a region like the Balkans, this means that only the “heavyweights” will report directly - power utilities, telecoms and the largest industrial systems. However, this is where what I would call a legal boomerang appears.

    EU partner (Germany, AT, IT) ➡️ Distributor / intermediary ➡️ Your company

    The pressure of responsibility flows down the entire supply chain - even when you are not required to report.

    Even if you are not required to write a 200-page report for Brussels, your partners in Germany, Austria or Italy are. And they will transfer every gram of their responsibility onto you.

    “You did not ask whether I am allowed to request this data from you. I asked him: can you afford not to provide it?”

    2. The Balkan paradox: Less law, more forensics

    As a lawyer working at the intersection of law and system design, I rarely see the problem in the law - I almost always see it in the fact that the law has not been translated into a process.

    Past practice in the region has often come down to “creative writing” of ESG strategies. That is dead letter on paper. With the new amendments, the EU focus shifts from the quantity of reports to the integrity of data. I see this as a transition to evidence forensics. Your European partner no longer asks for your statement that you do not pollute the river.

    WHAT YOUR EU PARTNER IS ACTUALLY ASKING FOR

    • Audit Trail - A digital trace from the sensor in the factory to the director’s signature. Every step documented, time-stamped, immutable.
    • Verifiability - Is that data “resistant” to a court proceeding? If tomorrow you are accused of greenwashing, where is your proof?
    • Consistency - Data from Q1 must be methodologically aligned with data from Q4. Inconsistency is the first gap through which an auditor enters.

    3. Shield for SMEs: The Value-Chain Cap

    One of the few real victories for Balkan small and medium-sized enterprises in Omnibus I is the introduction of a limitation of requests within the supply chain. Large players from the EU are no longer allowed to “harass” small suppliers with requests that exceed voluntary standards for SMEs - which arrive in July 2026.

    This is the key point where Legal Design comes into play. Instead of sending hundreds of unorganized documents, you design a map of proof.

    LEGAL DESIGN IN PRACTICE

    • You show what you do not have to provide - you know your rights and the limits of requests
    • You deliver what you deliver with absolute precision - every data point supported by proof
    • Your legitimacy before investors - you do not say “we are responsible”, you prove it

    4. How to win against the “late burnout effect”?

    In the Balkans we usually wait until the last moment. We negotiate with the deadline, not with the substance. But the architecture of facts is not built overnight - and greenwashing lawsuits do not wait for organization.

    “Digitize the evidence immediately. Not tomorrow, not after the election cycle, not when inspections pass. Immediately.”

    Start digitizing evidence today. Every sensor, every supplier contract, every certificate - into a system that leaves a trace.

    Turn legal obligations into visual processes. Let your compliance system be user-friendly for employees, and impenetrable for auditors. The complexity of the law does not have to be the complexity of your system. Facts are the only constant.

    Facts are the only constant

    Regulation will continue to change. Thresholds will rise and fall. Governments will promise and postpone. But the need for irrefutable proof is here to stay - because it is not only regulatory, it is market-driven.

    For Balkan companies, this is not only a question of ecology. This is a question of legal security and survival in the market.

    In a world where everyone promises sustainability, the one who can prove it will win.

    You thought CSRD was postponed? Think again. For the Balkans, the real game is just beginning. I explain why proof - not promise - is the new currency.

    Check your exposure level with the CSRD / ESG CHECKLIST – BALKAN EDITION Download the CSRD 2026 BLUEPRINT: ESG Proof Architecture

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

  • CSRD: When ESG Becomes a Personal Risk. How Proof Architecture Shifts ESG from Sustainability to Accountability

    CSRD: When ESG Becomes a Personal Risk. How Proof Architecture Shifts ESG from Sustainability to Accountability

    March has traditionally been about closing financial books. But starting in 2026, March carries a different weight for European and multinational companies. The key question will no longer be: “Are we profitable?” It will be: “Who is personally accountable for the accuracy of this ESG report?”

    The Corporate Sustainability Reporting Directive (CSRD) does not simply expand sustainability reporting; it fundamentally shifts ESG from narrative disclosure to auditable accountability. For the C-suite, this is no longer a reporting task, it is a significant governance exposure.

    From Communication to Governance Exposure

    For years, ESG reporting has operated in a semi-structured space of fragmented systems and manual spreadsheets. CSRD changes the standard by making ESG data subject to mandatory assurance.

    The challenge for most global organizations is the structural gap between their financial ERP systems and their ESG data needs. While a CFO can trust a ledger, they often cannot verify the "digital pedigree" of carbon emissions, water usage, or supply chain labor metrics. Under CSRD, the question is no longer: “Do we have the data?” It is: “Can we prove its origin-and who signed off on it?”

    The End of Collective Ambiguity

    In many organizations, ESG responsibility has been described as "cross-functional" or "shared." While collaboration is essential, collective ambiguity does not satisfy regulatory scrutiny.

    As a legal professional, I see this as a massive liability trap. CSRD requires:

    • Clearly identified signatories who take legal responsibility for the report.
    • Documented internal controls equivalent to financial reporting standards (SOX-level discipline).
    • Defined validation protocols (the "four-eyes" principle).
    • A verifiable audit trail for every material metric.

    If these elements are missing, auditors and regulators will not ask why the system was imperfect. They will ask who was responsible for ensuring it existed. This is where ESG becomes personal.

    Double Materiality: The Liability Filter

    CSRD introduces Double Materiality, requiring companies to report not only how sustainability issues affect them but also how they impact the world.

    From a governance perspective, this acts as a liability filter. If a Board signs off on a report that ignores a significant impact in its value chain, it is no longer just a reporting error-it is a failure of oversight that creates direct governance risk. Double Materiality transforms ESG from a disclosure exercise into a governance exposure map.

    Proof Architecture: The Executive Shield

    Delegation does not equal protection. Without a defined methodology to track data from its origin to the final signature, the Board remains exposed.

    My methodology, Proof Architecture, is designed as a structural shield. It is not about more narrative; it is about documented integrity through five layers:

    • Layer 1 – Data Origin: Responsibility at the point of creation (ERP, meters, HR records).
    • Layer 2 – Verification: Independent validation and documented review processes.
    • Layer 3 – Traceability: Digital logs demonstrating when and by whom data was modified.
    • Layer 4 – Governance Sign-off: Defined authorization levels for reporting inclusion.
    • Layer 5 – Disclosure Responsibility: Executive signatories fully aware of the supporting control environment.

    The Supply Chain Multiplier

    CSRD compliance does not stop at the company boundary. Scope 3 emissions and human rights metrics introduce external dependency risk. A single key supplier with undocumented methodologies can compromise the integrity of your consolidated disclosures. Proof Architecture must extend into supplier contracts, communication standards, and verification protocols to protect the lead organization.

    When the System Fails, Liability Becomes Visible

    CSRD exposes three escalating risk layers:

    • Operational Risk: Inconsistent or undocumented data flows.
    • Reputational Risk: Adverse assurance opinions signaling governance weakness to markets.
    • Governance Risk: Board-level accountability for insufficient internal controls.

    CSRD does not penalize imperfection; it penalizes the absence of structured control.

    The Question Every Board Should Ask in 2026

    When the assurance provider asks: “Where did this number originate-and who validated it?”, will your organization have a documented answer? Or an explanation?

    In 2026, the auditor's signature is not a stamp of approval for your sustainability story; it is a verification of your governance integrity.

    If ESG cannot be proven, it cannot be defended. And if it cannot be defended, it becomes personal.

    LDT ESG CHECKLIST 2026 CSRD 2026 BLUEPRINT: ESG Proof Architecture

    Other blogs

    Odgovornost upravnog odbora u eri ESG provjere

    Board Liability in the Age of ESG Assurance

    The management board approved the sustainability report. The management signed statements...

    Greenwashing više nije marketing problem – kada postaje lična odgovornost uprave?

    Greenwashing is no longer a marketing problem - when does it become personal liability for management?

    The company announced that its supply chain is “fully…

ENG