On 2 July 2026, the EU starts regulating ESG ratings the way it has regulated credit ratings for years. It is the first time this happens. The practical consequence is direct: the provider that gives you your ESG score needs to be authorised by ESMA to keep operating in Europe.
If you have a contract with MSCI, Sustainalytics, ISS or S&P, this is a good moment to check the fine print.
What Regulation (EU) 2024/3005 says
Until now, ESG ratings were no man’s land. Each provider had its own methodology, its own criteria and its own scale, with no shared framework and no supervision. That is exactly what Regulation (EU) 2024/3005 sets out to order: transparency, integrity, independence and governance of ESG rating activity, under ESMA’s eye.
Any provider that offers ESG ratings to investors or companies in the EU enters mandatory authorisation and supervision. It is not optional, and there is no diet version.
The dates that matter
The regulation has direct application. It does not depend on each member state transposing it. So the date is the same across all 27 states.
- 2 July 2026: the rules become enforceable.
- 2 August 2026: providers already operating must notify ESMA of their intention to continue.
- 2 November 2026: deadline to file the application for authorisation or recognition (four months from application).
Any provider that does not complete the process has to cease operating in the EU. That is why it pays to know early where your provider stands.
Why this is your problem, not just the provider’s
Two reasons.
The first, the obvious one. If your rating provider is not authorised, you are left without the score on which you base decisions, reporting or investor relations. Switching providers mid-year is not trivial.
The second is less discussed. The regulation amends Article 13 of SFDR: if you use an ESG rating in marketing communications, you will have to publish the corresponding information about that rating on your website. The rating stops being a badge you show when convenient and becomes something you have to sustain with data in the open.
What to review before July
- Take inventory of which ESG ratings you use and where they appear (website, investor decks, sales materials).
- Ask each provider whether they will apply for ESMA authorisation. It is a legitimate question and they should have an answer.
- Confirm they appear in ESMA’s list of authorised providers as it is published: ESG Rating Providers.
Two scenarios to plan for
Most companies are in one of two situations right now, and the response is different for each.
If you use ESG ratings actively in investor communications, you should already be drafting the website disclosures that SFDR Article 13 will require. The information itself is not new, but how and where you publish it changes. Coordinate with investor relations and legal to land on the page format before September, when most providers will start asking for the disclosure as a contract condition.
If you use ESG ratings for internal benchmarking only, the regulatory pressure is lighter, but the supplier risk is the same. A provider that loses authorisation in November cannot keep delivering scores in December. Have a fallback identified before the application window closes.
The data under the rating
An ESG rating is, in the end, a third party reading of your data. And however regulated the reading is now, it still depends on the quality of what goes in.
When your source data, consumption, suppliers, fleet, waste, is connected and traced, you are no longer at the mercy of how each provider fills the gaps you do not give it. You control the raw material of your own score. With or without new regulation, that always plays in your favour.
If you want to see how Dcycle structures the source data layer that feeds ESG ratings, request a demo. For broader regulatory context, the CSRD compliance hub walks through the disclosure obligations that connect with the new ESG rating regime, and our evidence and traceability feature shows the audit trail that providers will increasingly require.