Framing
Three questions that regulation forces you to answer.
The regulatory landscape is complex and expanding. Most technology leaders lose time in acronym soup. This module cuts through by anchoring every framework to three operating questions that determine whether your programme can withstand scrutiny.
What do we need to disclose?
Which frameworks apply to your organisation, what data they require, and what assurance standard that data must meet. This is the compliance baseline.
What capability do we need to do that credibly?
Measurement infrastructure, data quality, evidence chains, and governance processes. The gap between what regulation demands and what you can produce is your risk exposure.
What happens if we do not?
Financial penalties, capital access restrictions, supply chain exclusion, reputational exposure, and regulatory escalation. The cost of inaction is no longer abstract.
The shift
Five years ago, sustainability reporting for IT was voluntary and loosely defined. Today, regulation is creating binding disclosure obligations with assurance requirements. The space for organisations without measurement capability is narrowing with each regulatory cycle. Every framework in this module connects back to these three questions.
Section 1
Paris Agreement and SBTi: putting IT estates inside corporate targets.
The Paris Agreement created the global policy framework. SBTi turned that framework into measurable corporate obligations that pull IT into the target boundary.
The Paris Agreement and what it means for enterprise IT
The Paris Agreement, adopted in 2015, sets the framework for global climate action. The central commitment is to limit global temperature rise to well below two degrees Celsius above pre-industrial levels, and to pursue efforts to limit the increase to 1.5 degrees. The mechanism is nationally determined contributions: commitments from individual countries to reduce emissions, which in turn create the policy and regulatory frameworks that companies operate within.
Why does this matter directly for enterprise IT? Because corporate sustainability commitments are increasingly being anchored to the Paris Agreement through science-based targets. A science-based target is an emissions reduction goal calculated to be consistent with the level of decarbonisation required to keep warming within agreed limits. The Science-Based Targets initiative, SBTi, is the primary framework for validating these commitments.
The critical point for technology leaders: If your organisation has set or is planning to set science-based targets, the technology estate is not peripheral. For most large enterprises, technology consumption (including Scope 3 from cloud, hardware, and managed services) is material enough to sit inside the target boundary. That puts technology leaders directly on the hook for delivering against it.
SBTi emissions scenarios and IT implications
Science-based targets under the SBTi framework are calculated against specific emissions scenarios. The most demanding is a 1.5 degree pathway, which requires more rapid and deeper reductions than a 2 degree pathway. For organisations that have set SBTi-validated targets, both Scope 1 and 2 reductions and Scope 3 engagement with major supply chain partners are typically required. Technology supply chains, particularly cloud providers, hardware manufacturers, and large managed service providers, are often material enough to require active engagement rather than just reporting.
Section 2
The regulatory framework landscape.
Four interconnected frameworks now shape what technology organisations must disclose, measure, and demonstrate. Understanding each one and how they interact is essential for regulatory compliance and credibility.
EU Taxonomy for Sustainable Activities
A classification system that defines which economic activities can be considered environmentally sustainable. It determines access to green capital, lending terms, and investor classification.
The EU Taxonomy is relevant in two directions. First, it determines whether your organisation's activities can be labelled as sustainable in financial reporting, which affects access to green financing, investor classification, and lending terms. Second, it creates requirements for data centre and ICT investments to demonstrate alignment with specific technical screening criteria, including energy efficiency thresholds and renewable energy sourcing.
If your organisation operates in the EU, is funded by EU capital markets, or sells to businesses that are, the EU Taxonomy is already relevant to your sustainability reporting obligations. If you are outside the EU, the Taxonomy is still setting the direction of travel that other regulatory frameworks will follow.
Data centre energy efficiency standards, renewable energy sourcing requirements, and demonstrable lifecycle emissions reduction are now capital allocation drivers. IT infrastructure investment increasingly needs to be defensible against these criteria.
Corporate Sustainability Reporting Directive (CSRD)
The EU's primary sustainability disclosure framework, significantly expanding mandatory reporting scope beyond the previous Non-Financial Reporting Directive.
Large companies meeting two of three thresholds are progressively entering scope: more than 250 employees, over 40 million euros turnover, or over 20 million euros in assets. The largest organisations report first. Note: the precise implementation timeline and scope are subject to ongoing EU review; organisations should verify current obligations with legal and compliance teams.
Organisations must disclose two dimensions: the financial risks and opportunities that sustainability presents to the organisation, and the impact that the organisation's activities have on the environment and society. Both dimensions must be reported.
Digital footprint data (covering energy consumption, emissions, water use, and e-waste) must be reported in a format that is capable of being assured. The data must be auditable. It must include Scope 3 where material. It must be based on defensible measurement methodology, not spend-based proxies presented as physical data. This is why measurement quality and coverage statements are compliance concerns, not just operational ones.
CSRD directly applies to EU-headquartered organisations and non-EU companies with significant EU revenue above specified thresholds. But the indirect reach is wider: any organisation that is a material supplier to a CSRD-obligated entity will face sustainability data requests. Organisations that sell to EU-based enterprises, access EU capital markets, or have significant EU operations should treat CSRD as material to governance planning.
Task Force on Climate-related Financial Disclosures (TCFD)
The dominant framework for disclosing climate-related financial risks and opportunities. Organisations describe their governance of climate risks, strategy for managing them, risk management processes, and metrics and targets used.
Digital infrastructure creates climate risk exposure in both directions. Physical risk: data centres in climate-exposed locations face increasing risk from extreme weather, flooding, heat, and water stress. Transition risk: as carbon pricing, regulation, and market expectations shift, assets and business models dependent on high-carbon infrastructure face increasing cost and stranding risk.
Technology leaders should be able to articulate their organisation's climate risk exposure through the technology estate. They should ensure that the technology sustainability programme is connected to the TCFD disclosure process rather than running in parallel to it.
TCFD governance requirements mean climate risk assessment and response should be visible in IT leadership accountability, capital allocation decisions, and board-level reporting.
The GHG Protocol Corporate Standard
The most widely used framework for measuring and reporting greenhouse gas emissions. It defines the rules of the game for corporate sustainability reporting.
The GHG Protocol distinguishes between two boundary-setting approaches. The operational control approach includes emissions from operations the organisation controls. The equity share approach includes emissions proportional to ownership. Most large organisations use the operational control approach. For IT specifically, this means data centres and facilities you control fall clearly within your reporting boundary, while outsourced and cloud services fall in Scope 3.
The GHG Protocol distinguishes between two Scope 2 methods: location-based (reflecting actual grid carbon intensity) and market-based (reflecting contractual instruments like RECs). At the strategic level, the important point is that your corporate reporting obligations may specify which method you must use, or require both. Understanding which method your organisation is using, and being explicit about that choice in reporting, prevents credibility problems when numbers are compared across years or organisations.
The IT estate footprint sits across all three emission scopes. Understanding where your infrastructure sits in each scope, and which measurement methods apply, is foundational to defensible reporting.
Section 2b
The regulatory acceleration: from voluntary to mandatory.
The regulatory picture has shifted from voluntary disclosure to binding obligation in under a decade. This timeline shows the compression: each step narrows the space for organisations that have not built measurement capability.
Global policy framework. 1.5°C / 2°C targets. Creates the obligation chain that eventually pulls enterprise IT into corporate decarbonisation commitments.
Climate-related financial risk disclosure. Governance, strategy, risk management, metrics. Connects climate exposure to board-level reporting. IT infrastructure creates both physical and transition risk.
Classification system defining which activities count as sustainable. Determines access to green capital, lending terms, and investor classification. Data centre energy efficiency thresholds now tied to capital allocation.
Binding sustainability reporting for large EU companies. Double materiality: financial risk AND environmental impact. IT data must be assurable. Scope 3 included where material. Spend-based proxies insufficient.
Strengthened Scope 3 engagement requirements. Supply chain now explicit in corporate targets. Technology supply chains (cloud, hardware, managed services) are often material enough to require active engagement.
Regulatory momentum continues globally. AI-specific energy and carbon disclosure frameworks emerging. Expect mandatory sustainability reporting to extend beyond EU, and to deepen in scope and assurance requirements.
The trajectory is clear: voluntary framework → recommended practice → capital allocation criterion → binding disclosure obligation. Each step narrows the space for organisations without measurement capability. The question for technology leaders is not whether this applies to IT. It already does. The question is whether your measurement and governance infrastructure can meet the standard being set.
Section 3
Double materiality: mapping IT domains on both axes.
CSRD requires organisations to report two dimensions: how sustainability issues affect the organisation financially (financial materiality), and what impact the organisation has on the environment and society (impact materiality). Not all IT domains carry the same weight on both axes.
Governance implication: Data centres and cloud sit in the top-right, high on both axes. That is where investment and governance attention should concentrate first. But the full portfolio must be assessed: device programmes, software lifecycle, AI workloads, and supply chain engagement all contribute to the double materiality picture that CSRD requires.
Section 4
Scope 2 measurement methods: location-based vs. market-based.
Two different ways to measure Scope 2 electricity emissions. Both are valid, but they measure different things, and organisations must report both under CSRD.
Location-Based
Average grid carbon intensity in the location where electricity is consumed
2024 UK grid carbon intensity: ~180 gCO₂/kWh
5,000 kW × 8,760 hours × 180 gCO₂/kWh = 7,884 tonnes CO₂e
This is the physically honest number. It reflects the actual carbon intensity of the grid supplying the facility.
Assessing operational decarbonisation progress, understanding actual grid exposure, informing infrastructure siting decisions. This is the operationally relevant number.
Market-Based
Carbon intensity based on contractual instruments (RECs, PPAs) the organisation has purchased
5,000 kW × 8,760 hours × 0 gCO₂/kWh (renewable) = 0 tonnes CO₂e
This reflects the contractual renewable claim, but does NOT change the physical grid. Both numbers are correct. They measure different things.
Reporting achieved sustainability commitments, demonstrating alignment with renewable procurement targets. But CSRD requires BOTH numbers to be disclosed for transparency.
Market-based claims do NOT eliminate location-based exposure. An organisation can claim 100% renewable energy via RECs, but the physical grid supplying the facility remains unchanged. Under GHG Protocol and CSRD, both figures must be reported. The location-based number is operationally decisive: it is the basis for understanding actual decarbonisation progress and informing infrastructure decisions.
For IT leadership: Understand which method your corporate sustainability commitments and targets are based on. If you are reporting Scope 2 to a SBTi-validated target, you need to know whether you are measuring against location-based, market-based, or both.
Section 5
Sustainable finance as a practical lever.
Sustainable finance instruments are worth understanding because they are becoming practical tools for funding technology investment. Green bonds, sustainability-linked loans, and ESG-screened capital are moving from aspirational to operational in technology capital allocation.
What this means for IT investment decisions
- Green bonds: Debt instruments where proceeds are designated for specific environmental projects, including data centre efficiency improvements and renewable energy procurement. If your organisation is issuing green debt, IT infrastructure projects may qualify for lower-cost capital.
- Sustainability-linked loans: Borrowing terms, including interest rates, are tied to the organisation achieving sustainability performance targets. This directly connects IT operational performance (e.g., PUE improvement, renewable energy sourcing) to cost of capital.
- ESG investment screening: For listed organisations, investor capital increasingly requires sustainability performance data. Technology organisations that cannot demonstrate measurement credibility and improvement trajectory face capital efficiency penalties.
Sustainability performance is increasingly a lever in capital allocation conversations. If your organisation is accessing green capital, or is under SLL terms, IT is not peripheral to that financing. Your ability to demonstrate energy efficiency, renewable energy sourcing, and Scope 3 control directly affects borrowing costs and capital availability. This is a financial, not just environmental, argument.
Section 6
What changes in your operating model when regulation is in scope.
Regulation is not a list of rules to read. It is a set of operating model changes that your technology function must absorb. Each framework in this module creates specific demands on measurement, governance, evidence, and accountability.
Data quality must be assurable
Spend-based proxies are no longer sufficient for organisations in CSRD scope. Measurement methodology must be documented, repeatable, and capable of independent audit. This applies to energy consumption, Scope 2 methods, Scope 3 supply chain data, and e-waste volumes.
Accountability must be distributed
Regulatory disclosure creates accountability chains. Data centre leads own facility metrics. Cloud platform teams own Scope 3 supplier engagement. Procurement owns vendor evidence. Finance owns cost-of-capital implications. A single sustainability team cannot carry this alone.
Supplier claims face scrutiny
CSRD and SBTi Scope 3 requirements mean corporate-level sustainability pledges from vendors are insufficient. Product-level evidence, covering specific services your organisation consumes, is the standard being set. This connects directly to the measured, modelled, and proxy hierarchy covered in Module 3.
Financing terms are linked to performance
Green bonds, sustainability-linked loans, and ESG screening connect IT operational performance to borrowing costs and capital access. Technology investment decisions must now account for their impact on the organisation's sustainability financing position.
The governance gap most organisations discover too late
The regulatory frameworks in this module do not ask whether your organisation has a sustainability strategy. They ask whether your organisation can produce specific, auditable data about its environmental impact, supported by documented methodology and clear ownership. The gap between having a programme and being able to evidence that programme under regulatory scrutiny is where most organisations are exposed.
Knowledge Check · Module 9 · Q1
An organisation's sustainability report states that its data centre operations are powered by 100% renewable electricity, citing Renewable Energy Certificates. Under CSRD and the GHG Protocol, what is the most precise statement about what this claim represents?
Select an answer to reveal the explanation.
✓ Correct: Option B
Under the GHG Protocol, organisations report Scope 2 using both the location-based method (reflecting actual grid carbon intensity) and the market-based method (reflecting contractual instruments like RECs). The REC claim is valid for market-based reporting, but it does not change the physical grid that powers the facility.
CSRD requires both methods to be disclosed. An organisation reporting only the market-based figure, without also disclosing the location-based intensity, is providing an incomplete picture. The location-based figure is the physically honest number, the one GreenOps operational decisions should be based on.
Knowledge Check · Module 9 · Q2
A technology director says: "CSRD is a European regulation so it does not apply to us. We are headquartered outside the EU." Under what circumstances might CSRD still be relevant to this organisation?
Select an answer to reveal the explanation.
✓ Correct: Option B
CSRD directly applies to EU-headquartered organisations and to non-EU companies with significant EU revenue above specified thresholds. But the indirect reach extends further: any organisation that is a material supplier to a CSRD-obligated entity will face sustainability data requests, because those entities are required to cover material Scope 3 emissions, including supply chain.
This supply chain pull effect means the regulatory boundary is effectively wider than the direct applicability of the regulation. Organisations that sell to EU-based enterprises, access EU capital markets, or have significant EU operations should treat CSRD as material to their governance planning.
Knowledge Check · Module 9 · Q3
Which of the following best describes why the GHG Protocol's boundary-setting approach matters for enterprise IT reporting?
Select an answer to reveal the explanation.
✓ Correct: Option C
The GHG Protocol's operational control boundary-setting approach is critical for IT because it defines which parts of the technology estate fall under organisational control (Scope 1/2) and which sit in the supply chain (Scope 3). For IT specifically, this means owned data centres fall clearly inside the reporting boundary under Scope 1 and 2, while cloud services and managed services fall in Scope 3.
This boundary distinction shapes where measurement responsibility lies, where operational levers can be applied, and how much direct control the organisation has. This is foundational to understanding whether IT is a Scope 1/2 optimisation challenge, a Scope 3 supply chain engagement challenge, or both.
⏸ Pause & Reflect
Take 5–10 minutes to think through these questions. There are no right answers. These are prompts for strategic thinking in your context.
Module 9: Key Takeaways
For most large enterprises, technology consumption is material enough to sit within the SBTi boundary. Technology leaders are directly on the hook for delivery, not just adjacent to it.
For EU-based or EU-funded organisations, Taxonomy alignment affects green financing access, lending terms, and investor classification. For non-EU organisations, it is setting the direction of travel for other regulatory frameworks.
Double materiality means both financial risk and environmental impact must be reported. Digital footprint data must be capable of independent audit. Scope 3 must be included where material. Measurement quality is now a compliance concern.
Technology infrastructure exposes the organisation to both physical climate risk (location-based) and transition risk (carbon pricing, regulation, stranding). TCFD requires organisations to articulate this exposure and integrate it into board-level governance.
Market-based claims (RECs, PPAs) are valid but do not change physical grid exposure. Location-based reporting is operationally decisive. Understanding which method your corporate targets use is critical.
Green bonds, sustainability-linked loans, and ESG-screened capital are connecting sustainability performance directly to cost of capital. IT operational performance is now material to borrowing terms and investor access.
Next
What comes next.
You now understand what regulation requires, where IT sits in the compliance picture, and what changes in your operating model when disclosure becomes mandatory. The next question is how to make the case for investment. Module 10 covers the business case: five case types (cost, risk, capacity, strategy, credibility), how to frame sustainability as a financial argument, and what the first business case should fund.