Who supervises ESG rating providers under the regulation?

ESMA is the sole direct supervisor of ESG rating providers offering services in the EU. Unlike MiCAR (where NCAs handle CASP authorisation) or DORA (where NCAs supervise financial entities), the ESG Ratings Regulation centralises supervision at EU level. NCAs have a supporting role — including investigation assistance and cooperation — but authorisation decisions and ongoing supervision rest entirely with ESMA.

What must financial institutions disclose when citing ESG ratings in marketing materials?

Regulation (EU) 2024/3005 amends SFDR to require financial market participants and financial advisers that disclose an ESG rating to third parties in marketing communications to include on their website the information specified in Annex III of the regulation. This includes the name of the ESG rating provider, a description of what the rating measures (ESG risk vs. ESG impact), the methodology used, and a link to the provider's ESMA registration page. The obligation applies to fund factsheets, investor presentations, website descriptions, and pre-contractual SFDR disclosures that cite ESG ratings.

EU ESG Ratings Regulation: ESMA Authorisation, Provider Obligations, and What Financial Institutions Must Do Before July 2026

Q: When does the EU ESG Ratings Regulation apply?

Regulation (EU) 2024/3005 entered into force on 1 January 2025 and applies from 2 July 2026. ESG rating providers that were already operating before that date benefit from a transitional period: large providers (annual turnover from ESG rating activities exceeding €50 million) must notify ESMA of their intention to continue by 2 August 2026; small providers have until 2 November 2026. During the notification window, providers may continue offering services while their application is assessed by ESMA.

The EU ESG Ratings Regulation (Regulation (EU) 2024/3005) entered into force on 1 January 2025 and applies from 2 July 2026. From that date, any provider offering ESG ratings to investors or companies in the EU must be authorised or registered with ESMA — or benefit from an equivalence, recognition, or endorsement arrangement. Financial institutions that use ESG ratings face new disclosure obligations and, in some cases, new due diligence requirements on which providers they rely upon.

This guide explains who needs ESMA authorisation, how the registration process works, what obligations the regulation imposes on both ESG rating providers and the financial institutions that use their ratings, and how the regulation interacts with SFDR, the SFDR 2.0 review, and the EU Omnibus Package.

What Is an ESG Rating?

For the purposes of the regulation, an ESG rating is an opinion, score, or combination of both, on an entity's or financial instrument's profile or characteristics with respect to environmental, social, and governance factors, or exposure to ESG-related risks, or the impact on society, environment, or governance. This is defined broadly to capture:

E ratings — emissions profiles, climate transition risk, biodiversity exposure, water and resource use
S ratings — labour standards, supply chain conditions, community impact, human rights
G ratings — board structure, executive compensation, anti-corruption, shareholder rights
Combined ESG scores — aggregate ratings that combine all three pillars into a single score or grade

Critically, the regulation covers ratings published to investors, not internal assessments by financial institutions for their own portfolio management. A fund manager producing an internal ESG view on a holding is not an "ESG rating provider." The regulation targets third-party providers whose ratings are sold or licensed to financial market participants.

Who Must Be Authorised?

ESG Rating Providers Established in the EU

Any legal entity established in the EU that provides ESG ratings professionally must apply for authorisation from ESMA before 2 July 2026 — or notify ESMA during the transitional window (see below) if already providing ratings before that date.

ESMA is the sole direct supervisor of ESG rating providers. There are no national competent authority (NCA) supervisory tiers for this regulation — it differs from MiCAR or DORA in this respect. NCAs have a role in investigation support and cooperation, but authorisation and ongoing supervision sit entirely with ESMA.

Large providers (annual turnover from ESG rating activities exceeding €50 million) face the full set of obligations immediately from 2 July 2026. Small providers (below the €50 million threshold) benefit from a lighter regime and longer compliance timelines for certain requirements.

Third-Country Providers

ESG rating providers established outside the EU can offer ratings in the EU through three routes:

Equivalence decision — Where the European Commission has determined that the third country's regulatory framework is equivalent. This is suitable for the largest non-EU markets.
Recognition — A third-country provider can apply for recognition directly with ESMA if they meet certain conditions (including submission to ESMA oversight on request).
Endorsement — An EU-authorised provider endorses ratings produced by an affiliated third-country entity, taking on regulatory responsibility for those ratings.

The equivalence and recognition routes are primarily relevant for US-based providers (e.g., S&P Global, MSCI, Sustainalytics) and other large non-EU incumbents. Most are expected to seek equivalence or recognition rather than EU establishment.

Transitional Period and Notification Timeline

The regulation provides a structured transition for providers already active before 2 July 2026:

Deadline	What Must Happen
2 April 2026	Each Member State designates a national competent authority for cooperation purposes
2 July 2026	Regulation applies; all new providers entering the EU market after this date must be authorised first
2 August 2026	Large ESG rating providers (annual turnover above €50M) must notify ESMA of intention to continue offering services and apply for authorisation
2 November 2026	Small ESG rating providers (annual turnover below €50M) notification deadline
1 January 2028	ESG rating providers must submit information via ESAP (European Single Access Point, Regulation (EU) 2023/2859)

During the transitional window (2 August 2026 to the notification deadline), providers that have notified ESMA may continue offering services while their application is being assessed. Providers that fail to notify lose the right to continue offering services in the EU.

What the Regulation Requires: Providers

1. Governance and Independence

ESG rating providers must have robust governance arrangements, including:

A management body with sufficient collective expertise in ESG-related fields
Independent directors — for large providers, at least one third (and no fewer than two) of management body members must be independent
An independent compliance function — whether internal or contracted for small providers
An internal audit function for large providers

The regulation prohibits ESG rating providers from providing consulting services to rated entities, from providing benchmarks (under the Benchmarks Regulation) through the same legal entity, and from providing credit ratings (under the CRA Regulation) through the same entity — unless they establish structural separation between these activities.

2. Conflicts of Interest

The regulation addresses the persistent criticism that ESG rating providers have commercial relationships with the very entities they rate. Requirements include:

Identification, disclosure, prevention, and management of all actual and potential conflicts of interest
Publication of a conflicts of interest policy on the provider's website
Separation of commercial activities (including index licensing and data provision) from rating activities where conflicts exist
Where separation is insufficient, mandatory disclosure of conflicts to ESMA and to users of the rating

Fees charged to rated entities (issuer-pays model) must be disclosed to ESMA and must not be contingent on the outcome of the rating.

3. Methodology Transparency

Each ESG rating provider must publish on its website:

The methodologies, models, and key rating assumptions used to produce ESG ratings
The time horizon covered by the rating
How E, S, and G factors are weighted relative to each other in the overall score
Whether the rating measures ESG risks (risks to the entity from ESG factors) or ESG impacts (the entity's impact on society and environment) — this is a critical disclosure because these two approaches yield materially different results and are not equivalent
Data sources used, including how gaps in data are handled
How often ratings are reviewed and updated

ESMA will develop regulatory technical standards (RTS) specifying the detailed disclosure format and content requirements.

4. Separation of Business Lines

Large ESG rating providers that also provide ancillary services (data, indices, analytics, advisory, credit ratings) must establish appropriate separation between the ESG rating activity and those services. This can be achieved through:

Separate legal entities within a group
Functional separation with documented information barriers
In some cases, divestment of conflicting businesses

The regulation does not require full corporate separation for all ancillary services, but requires that the provider can demonstrate independent operation of the rating function.

5. Record-Keeping and Audit Trail

Providers must keep records of:

Rating decisions and the analysts involved
Communications with rated entities during the rating process
Data and models used
Changes to ratings and the reasons for changes

Records must be retained for at least five years.

What the Regulation Requires: Users of ESG Ratings

The regulation's primary obligations fall on ESG rating providers, not on financial institutions that use ratings. However, several provisions directly affect financial market participants:

SFDR Amendment: Website Disclosure

Regulation (EU) 2024/3005 amends the Sustainable Finance Disclosure Regulation (SFDR). Under the amendment, financial market participants and financial advisers that disclose an ESG rating to third parties as part of their marketing communications must include on their website information specified in Annex III of the ESG Ratings Regulation. This includes:

The name of the ESG rating provider
A description of what the rating measures (ESG risk vs. ESG impact)
The methodology used by the provider
A link to the provider's ESMA registration page

This obligation applies whenever an ESG rating is cited in marketing materials — fund factsheets, investor presentations, website descriptions, and pre-contractual SFDR disclosures. Financial institutions cannot simply cite a "Triple-A ESG score from [Provider]" without also disclosing the nature and source of that rating.

Due Diligence on Providers

The regulation does not impose explicit due diligence obligations on rating users in the same way that the Credit Rating Agencies Regulation imposes reliance restrictions. However, the SFDR amendment creates an indirect incentive for due diligence: if a financial institution discloses an ESG rating and that rating comes from a provider that is not ESMA-authorised (or exempt via equivalence/recognition/endorsement), the institution faces reputational and potentially legal exposure.

Asset managers subject to SFDR should therefore:

Audit which ESG rating providers they currently use for fund classification (Article 6, 8, or 9) and portfolio reporting
Confirm that each provider will be authorised, registered, or equivalent from 2 July 2026
Update fund documentation, pre-contractual disclosures, and website disclosures to include the required Annex III information
Establish a process for updating disclosures if a provider's registration status changes

Impact on SFDR Product Classification

The ESG Ratings Regulation does not change the SFDR product classification framework (Article 6, 8, 9) directly — those are addressed in the separate SFDR review process. However, the methodology transparency requirements for ESG rating providers will affect how fund managers evidence the "sustainable investment" definition under SFDR Article 2(17).

From 2 July 2026, a fund manager citing an ESG rating to justify a sustainable investment classification must be able to demonstrate that the underlying methodology is consistent with the fund's stated sustainability objective — a higher bar than merely citing a provider's headline score.

Interaction with Taxonomy and CSRD

The ESG Ratings Regulation is part of a broader sustainable finance architecture:

Taxonomy Regulation — The EU Taxonomy provides a classification system for environmentally sustainable economic activities. ESG rating providers that incorporate Taxonomy alignment into their ratings must disclose how they use Taxonomy data and to what extent alignment (or partial alignment) affects the overall ESG score. The EU Omnibus Package 2026 has delayed some Taxonomy reporting requirements, which may affect the data availability ESG rating providers can use.

CSRD — Corporate Sustainability Reporting Directive data, when published by rated entities, provides standardised input data for ESG ratings. The quality and comparability of ESG ratings is expected to improve significantly as CSRD data becomes available — but the Omnibus Package's scope reduction (now applying only to companies with more than 1,000 employees and more than €450M turnover) means that smaller entities will not produce CSRD-compliant data, creating potential data gaps for ESG rating providers covering SME issuers.

PRIIPs / MiFID II Sustainability Preferences — Under MiFID II sustainability preferences (in force since August 2022), investment advisers must ask retail clients about their ESG preferences and align recommendations accordingly. ESG ratings are one way advisers evidence that a product meets a client's expressed preferences. The improved transparency and comparability under the ESG Ratings Regulation will help advisers select products and document suitability.

Key Compliance Timeline

Date	Action Required
Now (2026)	Audit ESG rating providers used; confirm authorisation plans
2 April 2026	Member States designate national competent authorities
2 July 2026	Regulation applies; new providers must be authorised before entering EU market
2 August 2026	Large providers (above €50M turnover) notify ESMA; financial institutions update SFDR website disclosures
2 November 2026	Small providers (below €50M turnover) notification deadline
2026–2027	ESMA processes authorisation applications; RTS implementation
1 January 2028	ESAP reporting obligations begin

Compliance Checklist for Financial Market Participants

Audit your current ESG rating usage:

Identify all ESG rating providers used across funds, portfolios, and marketing materials
Confirm each provider's plans for ESMA authorisation, equivalence, recognition, or endorsement
Note providers that have not announced their compliance route (escalate to relationship manager)

Update fund documentation and disclosures:

Review all SFDR pre-contractual disclosures that cite ESG ratings
Add Annex III disclosure information (provider name, methodology description, ESMA registration link) to website
Review fund factsheets and marketing materials for ESG rating citations
Update internal investment guidelines that reference specific ESG ratings or providers

Governance:

Brief investment committee and sustainability team on the new disclosure requirements
Establish a process for monitoring changes to ESG rating provider authorisation status
Document the due diligence process for selecting ESG rating providers post-July 2026
Update vendor management framework to include ESG rating providers

The ESG Ratings Regulation is complex and continues to develop through ESMA's RTS process. For targeted analysis of how the regulation applies to your specific products or business model, try our AI-powered query tool — our knowledge base covers the full regulatory text and ESMA technical standards.