Next Article in Journal
How Does Green, Digital, Cross-Boundary Innovation Generate Synergistic Effects in Carbon Reduction?
Previous Article in Journal
The Impact of Natural Gas Prices on the Green Bond Market: A Quantile-on-Quantile Analysis Within the Sustainable Development Framework
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sustainability
Volume 18
Issue 5
10.3390/su18052278
sustainability-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Artificial Intelligence as an Emerging Risk Dimension in Corporate Sustainability Reporting: A Legal and Governance Perspective

by
Andreja Primec
1,*,
Jernej Belak
2 and
Matic Čufar
2
1
Department of Business Law, Faculty of Economics and Business, University of Maribor, 2000 Maribor, Slovenia
2
Department of Strategic Management and Enterprise Policy, Faculty of Economics and Business, University of Maribor, 2000 Maribor, Slovenia
*
Author to whom correspondence should be addressed.
Sustainability 2026, 18(5), 2278; https://doi.org/10.3390/su18052278
Submission received: 19 January 2026 / Revised: 13 February 2026 / Accepted: 24 February 2026 / Published: 27 February 2026
(This article belongs to the Section Economic and Business Aspects of Sustainability)
Browse Figures
Versions Notes

Abstract

(1) Background: As digital technologies become integral to business operations, risks associated with artificial intelligence (AI), data governance, and cybersecurity are emerging as material concerns in the context of corporate sustainability. This article examines the extent to which current sustainability reporting standards (CSRD/ESRS, GRI, ISSB, and SASB) address risks associated with AI and broader digital transitions. (2) Methods: This study employs a qualitative content analysis of twenty corporate sustainability reports across digitally intensive sectors, complemented by a doctrinal legal analysis of the relevant normative instruments governing sustainability and digital risk reporting. (3) Results: This study finds that while references to AI risks are increasingly present, they often lack depth, standardisation, and connection to legal accountability mechanisms. Key gaps include underreporting human rights impacts linked to algorithmic decision-making and limited disclosure on internal AI governance structures. (4) Conclusions: The article argues that to uphold the principles of transparency, due diligence, and stakeholder accountability, sustainability reporting frameworks must evolve to capture the risks associated with AI transitions explicitly. The findings call for regulatory and standard-setting bodies to establish more explicit guidance on AI risk disclosures, and for corporate directors to integrate these dimensions into their risk governance and reporting duties.

1. Introduction

The manner and depth of integration of digital technologies into corporate business models are profoundly reshaping how value is created, how risks are managed, and how responsibilities and commitments toward stakeholders are fulfilled. In this context, artificial intelligence (AI), algorithmic decision-making and governance, and data-driven management systems are no longer merely supporting corporate tools but are increasingly central to strategic decision-making, operational efficiency, and competitive advantage. At the same time, as these technologies become more deeply embedded in business models and processes, they give rise to new categories of risks, ranging from algorithmic bias and infringements of fundamental human rights to deficiencies in data governance and heightened cybersecurity threats [1,2].
Within this evolving environment, sustainability reporting plays a pivotal role as a mechanism for companies to disclose their impacts, risks, and governance practices to investors, regulators, and other stakeholders. Reporting frameworks and standards introduced by the Corporate Sustainability Reporting Directive (CSRD), together with the European Sustainability Reporting Standards (ESRS) and established international frameworks such as GRI, SASB, and ISSB, reflect growing expectations that companies systematically identify, assess, and disclose material sustainability-related risks. In light of the above, an important question arises: to what extent do these frameworks and standards adequately capture the risks associated with digital transformation and artificial intelligence [2,3,4]?
Traditionally, sustainability reporting and related regulatory requirements have focused primarily on environmental, social, and governance (ESG) factors. At the same time, digital- and AI-related risks have often been treated as technical or operational issues, separate from the core concept of sustainability. Such a separation frequently leads to an underestimation of their actual materiality, particularly where digital solutions and AI systems influence the protection of fundamental rights, employment relations, access to services, and the transparency of decision-making processes. Additional complexity arises from the increasingly intensive regulation of digital domains, reflected in the parallel development of legal regimes governing artificial intelligence, personal data protection, and digital due diligence. This research article examines the extent to which contemporary sustainability reporting standards address risks associated with artificial intelligence and broader digital transitions. The research combines a qualitative content analysis of sustainability reports from companies operating in digitally intensive sectors with a doctrinal legal analysis of relevant normative instruments governing sustainability and digital risk reporting. Particular attention is devoted to the role of management and supervisory bodies, as well as to the relationship between risk-related disclosures and mechanisms of legal and corporate governance accountability. Despite the expanding literature on ESG reporting and AI governance, limited empirical research examines how companies operationalise AI-related risks within mandatory sustainability reporting frameworks. Existing studies either analyse regulatory developments or discuss ethical dimensions of AI, but rarely combine normative framework analysis with empirical assessment of corporate disclosure practices under the CSRD/ESRS regime [2,3]. This study addresses this gap by examining how European companies disclose AI-related risks within sustainability reporting under the CSRD framework. It contributes to the literature in three ways. First, it integrates AI governance risks into the theory of sustainability reporting. Second, it provides structured empirical evidence on disclosure practices across multiple EU sectors. Third, it identifies the gap between regulatory expectations and corporate implementation [2,3,4].
The research addresses how companies, in practice, disclose risks related to artificial intelligence. At the same time, it considers whether legislative and standard-setting initiatives are moving in the right direction and whether their implementation will better prepare companies to manage future digital, social, and governance-related risks. Despite the growing body of literature on ESG reporting and AI governance, empirical research has yet to systematically examine how companies operationalise AI-related risks within mandatory sustainability reporting frameworks. This study addresses this gap by linking doctrinal legal analysis with qualitative content analysis of corporate sustainability reports. It contributes to the literature in three principal ways. First, it conceptualises artificial intelligence as an emerging, structurally under-embedded ESG risk dimension. Second, it provides structured empirical evidence on AI-related disclosure practices across multiple EU sectors operating under a mandatory reporting regime. Third, it identifies a governance-accountability gap between regulatory expectations embedded in the double materiality logic and the substantive internalisation of AI-related risks in corporate reporting practice. The structure of the scientific work consists of an introduction, followed by Section 2 presenting the theoretical foundations and legal background. The Section 3 outlines the research methodology, followed by the presentation of the research results in the Section 4. The scientific work concludes with Section 5 titled “Conclusions and Further Discussion” [2,4,5].

2. Theoretical Basis and Legal Background

2.1. The Current Role of Corporate Sustainability Reporting

Corporate sustainability reporting (CSR) refers to the systematic disclosure of information on a company’s environmental, social, and governance (ESG) impacts, risks, and opportunities related to its operations. Its fundamental purpose is to enhance transparency regarding the non-financial aspects of corporate activities that may have significant implications for stakeholders, financial markets, and society at large. ESG metrics play a crucial role, particularly for socially responsible investors who incorporate broader sustainability considerations into their investment decisions. Environmental criteria indicate the extent to which a company protects natural resources and manages its climate change impact. Social criteria focus on the management of relationships with employees, suppliers, customers, and local communities, as well as the respect for human rights throughout the value chain. The governance dimension encompasses information on the quality of corporate governance, the composition of management and supervisory bodies, audit processes, internal control systems, and the rights and position of shareholders [5].
Although ESG factors cannot be expressed unambiguously in monetary terms, numerous empirical studies confirm that ESG criteria can have a noticeable impact on company value and contribute to higher returns on financial markets [6]. However, Barker warns that sustainability-related financial information can help reconcile the conflict between a corporation’s economic self-interest and external costs only if corporate activities affect the capital on which those activities depend [7]. It is argued, however, that corporations generally do not have a self-interest, even in the long term, in eliminating external costs [8,9].
Environmental, Social, and Governance (ESG) criteria have evolved into a dominant evaluative framework for assessing corporate sustainability performance. ESG’s origins lie in socially responsible investing and corporate responsibility scholarship [10]. Corporate Social Responsibility (CSR) reporting is also recognised as a preparatory step toward sustainable corporate governance [5]. CSR reporting has evolved from largely voluntary, narrative-based non-financial disclosures to increasingly standardised, legally binding reporting regimes. Early EU initiatives under the Non-Financial Reporting Directive (NFRD) have been replaced by the Corporate Sustainability Reporting Directive (CSRD), which significantly expands both the scope of reporting entities and the breadth and depth of required disclosures. The CSRD represents a shift from predominantly compliance-oriented non-financial reporting toward a comprehensive sustainability reporting model. It directly links sustainability aspects with corporate strategy, risk management, and corporate governance structures. This regulatory development reinforces the role of sustainability reporting not merely as an external communication tool, but as a key corporate governance mechanism that influences decision-making processes, accountability structures, and the long-term competitiveness of companies [9].
A key conceptual innovation of the CSRD is the principle of double materiality, according to which undertakings must report both (i) the financial effects of sustainability issues on the company and (ii) the company’s impacts on people and the environment [11]. Under the NFRD, companies primarily focused on reporting their social and environmental impacts [12]. In contrast, the CSRD requires firms to conduct a comprehensive impact materiality assessment encompassing the identification, evaluation, and disclosure of sustainability-related risks and opportunities [9].
The double materiality assessment replaces an exclusively investor-oriented materiality concept with a broader impact-focused approach. It aligns EU sustainability reporting with emerging due diligence expectations under the UN Guiding Principles on Business and Human Rights (UNGPs) and the OECD Guidelines for Multinational Enterprises [13]. Scholars suggest that sustainability reporting enhances corporate governance sustainability [9] and positively affects market outcomes and financial efficiency [14]. Recent research based on the CSRD and the theoretical distinction between substantive and symbolic sustainability reporting indicates that adopting double materiality does not necessarily affect ESG risk management processes. This finding may be attributed to symbolic reporting practices, robust pre-existing ESG risk management frameworks, or the early stage of double materiality adoption, rather than to substantive reporting changes or actual transformations in corporate practice [14,15].

2.2. The Impact of AI on Corporate Sustainability Reporting

Artificial Intelligence (AI) intersects with ESG in three principal ways: (1) as a tool for mitigating ESG-related risks through enhanced monitoring, emissions reduction, and improved governance capabilities; (2) as a driver of positive organisational outcomes, including improved service quality and enhanced stakeholder experience; and (3) as a source of its own ethical, social, and environmental risks associated with Responsible AI. Incorporating AI considerations into ESG frameworks is therefore essential to ensure that these interconnected impacts and vulnerabilities are identified and addressed coherently [2].
The increasing digitisation of enterprise workflows has positioned Artificial Intelligence (AI) as a transformative enabler of ESG reporting and monitoring. AI enhances both the breadth and depth of ESG analysis by enabling real-time data collection, automated classification, and predictive modelling.
Tse et al. identify three key functional stages of AI-enabled ESG analytics [16]:
(1)
Data harvesting (extracting ESG-relevant information from structured and unstructured data sources);
(2)
Data organising (screening, preprocessing, and structuring data);
(3)
Data analysis (applying machine learning techniques, sentiment analysis, and contextual modelling).
Furthermore, Pozzi and Dwivedi examine Internet of Things (IoT)-driven ESG architectures, demonstrating how sensor networks can strengthen environmental sustainability through continuous emissions monitoring and automated threshold alerts [17]. AI is thus emerging not merely as a reporting tool, but as a mechanism for operationalising ESG principles within enterprise systems, supply chains, and investment portfolios.

ESG Implications of AI: Risks, Accountability, and Sustainability

While AI has the potential to improve ESG performance, it also introduces new sustainability challenges. Prior research demonstrates that AI systems impose significant environmental burdens due to energy-intensive training processes and lifecycle resource consumption [3]. In addition, social risks, such as algorithmic discrimination, privacy erosion, and labour displacement, align directly with the social pillar of ESG [1].
Several conceptual frameworks have been proposed to assess AI’s ESG footprint. Saetra links AI impacts to the United Nations Sustainable Development Goals (SDGs) [18] and subsequently advances an AI–ESG protocol comprising four stages: descriptive statements, impact assessment, risk–opportunity analysis, and action planning [19]. Brusseau proposes a set of human-impact indicators centred on autonomy, well-being, and trustworthy technology, thereby explicitly linking social sustainability with responsible AI [20].
Minkkinen et al. further contribute by examining AI auditing processes through ESG dimensions, emphasising the importance of governance structures, organisational awareness, and impact measurement [21]. Comparative analyses highlight significant global disparities in ESG-aligned AI investments between developed and emerging economies [22].
Industry and governmental bodies have likewise incorporated ESG considerations into AI governance frameworks [22,23]:
(1)
The EU Artificial Intelligence Act introduces a risk-based legal framework regulating high-risk and general-purpose AI systems [24];
(2)
The NIST AI Risk Management Framework establishes guidelines for identifying, assessing, and mitigating AI-related risks [23];
(3)
ISO/IEC 42,001 sets requirements for AI management systems applicable to enterprises and governance boards [25];
(4)
The OECD Framework for the Classification of AI Systems evaluates AI impacts using a “triple bottom line” approach encompassing people, planet, and profit.
As demonstrated above, AI plays a dual role in relation to ESG. On the one hand, it enables more accurate and timely data collection and analysis, thereby supporting sustainability reporting. On the other hand, the deployment of AI within companies’ internal processes introduces a range of risks. The remainder of this article, therefore, focuses on this second role. Specifically, it examines the primary sustainability reporting frameworks and assesses how they address the current risks associated with the use of artificial intelligence tools. Recent discussions in the literature also distinguish between purely digital AI systems and so-called “physical AI,” referring to AI embedded in cyber–physical infrastructures and industrial systems. While this study focuses primarily on digital AI governance risks within corporate reporting, the increasing integration of AI into physical infrastructure further expands potential sustainability, safety, and systemic risk considerations, reinforcing the relevance of explicit disclosure frameworks [22,26,27,28].

2.3. Normative Frameworks for Corporate Sustainability Reporting

2.3.1. Regulatory and Standard-Setting Frameworks for Sustainability Reporting

Legislative, regulatory, and standard-setting frameworks for sustainability reporting in the EU define minimum content requirements, the scope of obligated entities, and reporting principles to achieve disclosure objectives related to environmental, social, and governance aspects of business activities. These frameworks pursue multiple goals, including enhancing the comparability, transparency, and reliability of disclosed information. In doing so, they strengthen companies’ roles in sustainability reporting and in disclosing relevant information to key stakeholders, while simultaneously enabling stakeholders to make more informed decisions. A review of the regulatory and legislative development of sustainability reporting frameworks reveals the emergence of complex, multi-level institutional environments in recent years, characterised by the interaction of public regulators and private or semi-public standard-setting actors. Before the statutory introduction of sustainability reporting, its development was primarily driven by private initiatives such as the Global Reporting Initiative (GRI), the International Integrated Reporting Council (IIRC), and the Sustainability Accounting Standards Board (SASB). However, as sustainability information has become increasingly relevant for capital markets, stakeholders, and public policy, more powerful institutional actors have entered the field, most notably the European Commission in cooperation with EFRAG and the IFRS Foundation [29].
As discussed further below, the EU approach embodied in the CSRD introduces substantial changes to sustainability reporting. It is grounded in a public regulatory mandate, broad stakeholder orientation, and the principle of double materiality. The European Sustainability Reporting Standards (ESRS) are therefore not intended merely to improve the comparability of corporate disclosures, but also to steer companies toward aligning their reporting practices with the objectives of sustainable development and the European Green Deal. In contrast, the IFRS Foundation, through the establishment of the International Sustainability Standards Board (ISSB), adopts a capital-market-oriented logic with a stronger focus on investors and financial materiality. Its objective is to establish a global baseline of sustainability disclosures that is interoperable with financial reporting. This institutional differentiation reflects deeper tensions between regulatory and market-based conceptions of sustainability reporting and raises questions about interoperability, legitimacy, and potential fragmentation of the reporting landscape. At the same time, it underscores the need for coordination and approaches that enable the coexistence of global and jurisdiction-specific standards within a future system of mandatory sustainability reporting [4,29,30].

2.3.2. Evolution from NFRD to CSRD: Mandatory EU Reporting

The transition from the NFRD to the CSRD represents one of the most significant regulatory shifts in the EU’s development of European corporate reporting. During this transition, the EU is systematically moving from limited, heterogeneous non-financial disclosures to comprehensive, standardised sustainability reporting. The NFRD was introduced by the EU in response to the 2008 financial crisis and, for the first time, established an obligation to disclose sustainability-related information. However, it later became evident that the NFRD had numerous shortcomings in data comparability and completeness of reported information. These shortcomings include a high degree of flexibility in the choice of reporting frameworks, broad discretion in the interpretation of materiality, significant differences in the selection and scope of sustainability disclosures in practice (resulting in lower comparability between companies), uneven reporting quality, and limited usefulness of information for investors and other stakeholders [31,32].
Results from previous studies show that while the NFRD increased the volume of disclosed information, it did not lead to a substantial improvement in substantive quality, with the concepts of materiality and double materiality playing a key role [33,34].
With the implementation of the CSRD, these shortcomings were intended to be addressed and mitigated. The CSRD overcomes the limitations of the NFRD by expanding the scope of reporting entities, mandating the inclusion of sustainability disclosures within the management report, introducing mandatory external assurance, and requiring the application of the ESRS, which precisely define the requirements and information that companies must disclose in each sustainability area. The ESRS also specify requirements for double-materiality reporting and for the content and structure of disclosures. As a result, sustainability reporting in the EU is firmly established as a mandatory reporting framework that is increasingly comparable to financial reporting and serves as a key regulatory instrument for steering corporate governance toward risk management, capital allocation, and strategic decision-making in line with the objectives of sustainable development and the European Green Deal [35,36,37,38].

2.3.3. ESRS Architecture and Double Materiality

The ESRS are designed as a comprehensive informational and regulatory system, with double materiality serving as its central conceptual and operational pillar. Double materiality directly structures the scope, content, and logic of the information that companies must consider when preparing sustainability disclosures. The ESRS are not conceived as a mere list of reporting requirements, but as a multi-layered information architecture that integrates horizontal standards (ESRS 1 and ESRS 2), thematic standards covering environmental, social, and governance matters, and a detailed network of standardised data points that enable consistent, comparable, and digitally readable reporting [39].
Within the ESRS, double materiality functions as the core selection mechanism that determines which topics and disclosures are relevant based on an assessment of the company’s impacts on the environment and society (impact materiality), as well as an assessment of risks and opportunities that may have a material effect on the company’s financial position, performance, and future development (financial materiality). In the ESRS framework, double materiality is operationalised as a process that goes beyond a one-off assessment and extends across the entire information flow—from understanding the company’s business model and value chain, through the identification of impacts, risks, and opportunities (IROs), to the definition of metrics, targets, and performance monitoring. The ESRS enable individual data points to be systematically linked to governance structures, strategy, and decision-making processes, meaning that sustainability reporting is no longer a standalone reporting exercise but an integral component of corporate governance. Within this framework, double materiality operates as a dynamic organisational mechanism that influences not only what companies report, but also how they structure their internal information systems, manage sustainability-related risks, and align strategic objectives with regulatory requirements. Consequently, the ESRS architecture establishes a strong linkage between regulation, information systems, and strategic management, representing one of the most comprehensive attempts at the institutionalisation of sustainability reporting at the global level, in which double materiality is not merely a normative principle but the operational core of the entire reporting system [39].

2.3.4. GRI Standards: Impact Materiality and Global Guidance

The GRI Standards represent a globally recognised sustainability reporting framework based on the concept of materiality. In assessing and reporting information, companies therefore focus on evaluating the actual and potential impacts of their activities on the environment, society, and the economy from a broader social responsibility perspective. The GRI Standards adopt an “inside-out” perspective, addressing the company’s impacts on its ecological and social environment rather than the effects of sustainability factors on the company’s financial position [36]. The GRI Standards were developed through a global multi-stakeholder process involving representatives from business, employees, civil society, financial markets, the auditing profession, and public institutions, which ensures a high degree of legitimacy and international acceptance. Owing to this design, the GRI Standards serve as global guidelines for sustainability reporting, enabling companies to disclose their economic, social, and environmental impacts in a manner that is internationally comparable, regardless of the legal framework or industry in which they operate. As such, the GRI Standards serve as a reference framework for global harmonisation of sustainability reporting. Beyond their reporting function, the GRI Standards also have a significant impact on the organisational management of sustainability impacts, as the process of determining impact materiality requires companies to systematically identify, assess, and prioritise impacts across their entire value chain. In this way, sustainability responsibility becomes institutionalised within business processes. On this basis, the GRI Standards represent a key conceptual and methodological foundation for the further development of sustainability reporting [40].

2.3.5. SASB Standards: Industry-Specific, Financial Materiality Approach

The SASB Standards are designed as a strongly investor-oriented and industry-specific sustainability reporting framework. Their central focus and point of departure is financial materiality, that is, the assessment of sustainability topics based on their likelihood of having a material impact on a company’s financial position, performance, and long-term value. In contrast to the GRI Standards, the SASB framework is grounded in capital market logic and explicitly follows a concept of materiality comparable to that used in financial reporting standards developed by the FASB and the IASB, whereby sustainability topics are considered relevant only to the extent they affect economic value for investors. A key characteristic of the SASB Standards is the assumption that sustainability-related risks, opportunities, and their financial relevance differ substantially across industries. To address this, the Sustainability Industry Classification System (SICS) was developed, classifying companies into 11 sectors and 77 industries based on similarities in resource intensity, exposure to sustainability risks, and business models. This structure enables precise and targeted reporting. Accordingly, within each sector, the standards specify a clearly defined set of material sustainability topics, which are further broken down into disclosure topics and quantitative accounting metrics. In this way, the SASB Standards follow a logic of reporting, measurability, and comparability that is characteristic of financial reporting. A distinctive feature of the SASB Standards is the explicit linkage between individual sustainability topics and financial value drivers, such as revenues, costs, liabilities, and the cost of capital. Financial relevance is assessed based on the magnitude and intensity of each sustainability topic’s impact on these drivers. Through this approach, SASB does not treat sustainability issues as external or secondary factors; instead, it considers them integral determinants of a company’s long-term value creation. The SASB Standards were not designed to replace broader, socially oriented frameworks, but rather to function as a complementary system alongside existing frameworks such as the GRI [41].

2.3.6. ISSB (IFRS S1 and S2): Global Baseline for Investor-Oriented Disclosures

The establishment of the International Sustainability Standards Board (ISSB) within the IFRS Foundation represents a landmark institutional step toward global harmonisation of sustainability reporting. Its central objective is to develop a global baseline of investor-oriented disclosures of sustainability-related financial information. The ISSB was established in 2021 in response to calls from the International Organisation of Securities Commissions (IOSCO) and the International Federation of Accountants (IFAC). Its primary purpose is to address existing gaps and the need for high-quality, globally comparable sustainability disclosure standards that are consistent with IFRS financial reporting standards. IFRS S1 and IFRS S2 are designed as investor-focused standards based on the principle of financial materiality. They require the disclosure of sustainability-related risks and opportunities that are reasonably likely to affect a company’s future cash flows, cost of capital, access to financing, business model, and long-term value. The ISSB deliberately follows the logic of financial reporting by requiring companies to disclose sustainability information that is relevant, complete, neutral, comparable, and timely. This facilitates the integration of sustainability information into core financial statements and management reports, thereby enhancing its usefulness to capital markets. IFRS S2, as the first thematic standard issued by the ISSB, systematically regulates the disclosure of climate-related risks and opportunities. It is based on the Task Force on Climate-related Financial Disclosures (TCFD) pillars (governance, strategy, risk management, and metrics and targets). It incorporates industry-specific requirements derived from the SASB Standards. This further strengthens the financial relevance and comparability of disclosures across companies and industries. The ISSB Standards are not intended to replace regional or national regulatory frameworks, but rather to serve as a minimum global baseline. Individual jurisdictions may build upon this baseline in line with their own regulatory, social, and political objectives. In this way, the ISSB, through IFRS S1 and IFRS S2, establishes a coherent and investor-oriented global framework for sustainability disclosure that strengthens the linkage between sustainability-related risks, financial valuation, and decision-making in capital markets [42,43].

2.3.7. Overlaps, Conflicts, and Complementarities Among CSRD/ESRS, GRI, SASB, and ISSB

The contemporary ecosystem of sustainability and ESG reporting can be understood as a multi-level, institutionally fragmented, yet gradually converging system in which the CSRD/ESRS, GRI, SASB, and ISSB intersect through a complex network of overlaps, conceptual tensions, and functional complementarities. The development of sustainability reporting began with voluntary CSR disclosures, continued with the standardisation of non-financial information, and has, in recent years, entered a phase of institutionalised, regulatorily supported sustainability reporting [44]. An analysis of the overlaps among individual frameworks reveals numerous similarities. All the examined frameworks address the same core areas (environmental, social, and governance) and employ contemporary concepts such as risks, opportunities, strategy, governance, and metrics, which creates an appearance of substantive alignment. GRI and ESRS overlap in their treatment of companies’ impacts on the environment and society along the value chain; SASB and ISSB overlap in the identification of financially material sustainability risks; and ESRS and ISSB overlap in the structure of disclosures, which follow the logic of governance, strategy, risk management, and metrics and targets. However, it is essential to note that such overlaps are often only shallow. Many reporting frameworks pursue different normative objectives, target different users, and follow distinct institutional logics, yet use similar terminology, which may lead to conceptual conflicts. Differences are particularly pronounced at the materiality level. GRI is based on impact materiality and a multi-stakeholder logic of accountability; SASB and ISSB rely on financial materiality and an investor-oriented understanding of relevance; and CSRD/ESRS adopt the concept of double materiality, which institutionally seeks to integrate both perspectives within a single regulatory framework. These differences in understanding materiality are central, as they reflect the distinct societal functions of reporting. The GRI Standards serve companies primarily as a means of legitimisation within the broader social environment; SASB and ISSB support capital markets and investment decision-making; while ESRS function as instruments for achieving EU public policy objectives, such as the sustainability transition, the management of systemic risks, and the protection of broader stakeholder interests [44,45].
The various frameworks impose different requirements regarding the scope of disclosures, the depth of data, and compliance costs, creating a reporting burden for companies, complicating regulatory oversight, and reducing data comparability for investors. Differences also arise from divergent regional regulatory approaches. With the implementation of the CSRD/ESRS, the EU has introduced mandatory, broadly defined sustainability reporting. In contrast, the United States and other markets rely more on investor-oriented logic and market-based mechanisms. This may lead to asymmetries in the quality and scope of disclosed information [44].
At the same time, several areas of convergence can be identified. GRI is commonly described as a foundational global normative framework that shapes the understanding of impacts and corporate social responsibility and enables companies, through their reporting, to identify potential risks at an early stage that may later materialise financially. SASB complements this approach by operationalising financial materiality across industries, enabling investors to assess risks and value drivers more precisely. ISSB, through the IFRS Sustainability Standards, elevates this investor focus to the global level by establishing a common language and a minimum global baseline of disclosures (IFRS S1/S2) that individual jurisdictions can further build upon.
Within this constellation, ESRS operate as a regulatory synthesis, incorporating elements of GRI and SASB/ISSB and embedding them within a legally binding framework supported by mandatory external assurance and digital reporting. The future development of sustainability reporting is therefore unlikely to be characterised by complete standard unification, but rather by interoperability, in which global investor-oriented standards such as ISSB and SASB provide the baseline, broader multi-stakeholder frameworks such as GRI offer the normative and conceptual foundation, and regulatory systems such as CSRD/ESRS deliver legal and institutional reinforcement. The effectiveness of such synergy and coordination will depend on: (1) genuine coordination among standard-setting bodies; (2) the harmonisation and strengthening of assurance mechanisms; and (3) companies’ ability to move ESG reporting beyond a symbolic legitimisation function and integrate it into corporate governance, strategy, and decision-making. Without such cooperation and coordination, existing overlaps may evolve into inefficient duplication, increased reporting complexity, and a loss of potential value. The current sustainability reporting landscape can therefore be understood as a dynamic institutional compromise among diverse interests, in which standards do not compete for dominance but coexist and interact with one another [35,39,41,44,45,46,47,48,49,50,51,52,53,54,55].
Based on the above, the CSRD/ESRS, GRI, SASB, and ISSB frameworks overlap across several dimensions. The first and most important common denominator is their shared thematic coverage of sustainability areas. All frameworks address environmental, social, and governance aspects of business activities, including climate change, human rights, labour practices, corporate governance, and business ethics. All standards also explicitly link sustainability topics to governance, strategy, and risk management. This indicates that sustainability reporting is no longer treated as a separate reporting domain, but rather as an integral part of a company’s core governance system. A further key area of similarity relates to the use of materiality as a selection mechanism, albeit in different forms. All frameworks require an assessment of materiality to determine which disclosures are relevant. Similarities can also be identified in the structural logic of disclosures, which increasingly follows the reporting pillars of governance, strategy, risk management, and metrics and targets. Additional convergence can be observed in the direction of standardisation, comparability, and digitalisation, as all frameworks require and support the development of structured, machine-readable, and comparable ESG data, which form the foundation for future reporting systems [9].
Table 1 below presents the key overlaps among the CSRD/ESRS, GRI, SASB, and ISSB frameworks.

2.4. Legal Risks of AI in Corporate Sustainability Reporting

2.4.1. Extent to Which CSRD/ESRS Require Disclosure of Digital/AI Risks

The CSRD and the ESRS do not define or regulate digital and AI-related risks as standalone, technology-specific categories. Instead, they address them indirectly but systematically through reporting within the broader framework of sustainability risks, impacts, and opportunities (IRO). These issues are primarily embedded within the areas of the social effects, the protection of fundamental rights, and financial materiality. With the implementation of the CSRD, reporting requirements related to risks arising from digitalisation, data usage, and automated systems have entered into force. Companies are required to disclose information on the risks to which they are exposed and on how these risks affect governance within their own operations and across the value chain. A key role in this context is played by ESRS S4, which explicitly requires disclosure of how companies prevent or mitigate material negative impacts associated with the collection, use, and governance of data, including impacts on the right to privacy, the protection of personal data, non-discrimination, and access to information. Data breaches, cyber incidents, and inadequate information systems governance are recognised as typical material risks that must be addressed in sustainability reporting. Such incidents may harm consumers and end users and negatively affect a company’s financial performance and long-term value. The ESRS do not contain a dedicated standard for artificial intelligence; accordingly, AI-related risks fall implicitly within the scope of disclosure whenever automated systems, algorithmic decision-making, or advanced analytics affect data processing, user rights, system security, or a company’s business model. ESRS S4 thus functions as an interface between sustainability reporting and digital regulation, as its disclosure requirements draw on obligations arising from the existing EU legal framework. The CSRD does not introduce ex ante obligations to disclose technical details of cybersecurity or AI architectures; instead, it requires meaningful, proportionate, and risk-based disclosures that enable stakeholders to understand how companies identify, assess, and manage digital and data-related risks. Consequently, AI-related risks under the CSRD and ESRS are highly relevant in terms of substance and governance responsibility, as they are integrated into the broader framework of double materiality rather than being treated as a separate technology-specific reporting category. In particular, three disclosure dimensions within the ESRS framework serve as primary interfaces for AI risk. First, ESRS 2 (Governance) requires disclosure of oversight structures and risk governance responsibilities, which become directly relevant where AI systems influence strategic decision-making. Second, ESRS 1 operationalises double materiality assessments, within which AI-related impacts may emerge as financially or socially material topics. Third, ESRS S4 (Consumers and End Users) explicitly addresses data governance, privacy, and non-discrimination concerns, thereby indirectly capturing algorithmic decision-making risks. These dimensions collectively provide normative entry points for AI-related disclosure, even in the absence of a standalone AI standard [39,56,57].

2.4.2. How Voluntary Frameworks (GRI, SASB, and ISSB) Approach Digital and AI Impacts

Similar to the CSRD, the voluntary standards GRI, SASB, and ISSB define impacts related to artificial intelligence and digitalisation primarily in an indirect and fragmented manner, without standalone or technology-specific disclosure requirements [18,57]. The GRI Standards are based on the concept of impact materiality and do not treat AI and digitalisation as separate reporting areas; instead, they explicitly address them through topics such as data protection, user privacy, non-discrimination, labour practices, employee health and safety, and responsible organisational governance. As such, the GRI Standards do not include specific indicators that would systematically require companies to disclose algorithmic bias, automated decision-making, the impacts of AI on fundamental rights, or the environmental footprint of digital infrastructure [18]. The SASB Standards, which are designed around financial materiality and investor relevance, address digital and AI-related risks mainly through industry-specific topics such as cybersecurity, data protection, IT systems reliability, and regulatory compliance. Broader social and ethical impacts of technology are included only if they are assessed as financially material [41]. This approach may lead to a narrow coverage of AI impacts, as many long-term, indirect, or systemic effects of artificial intelligence (such as discrimination, surveillance, or impacts on democratic processes) are often not immediately financially measurable and therefore remain outside the reporting focus [57]. The ISSB introduces a more structured disclosure of sustainability-related risks; however, it also primarily focuses on the financially material effects of digitalisation and AI, particularly risks that may affect cash flows, the cost of capital, and the long-term value of the company. Consequently, voluntary reporting standards allow for partial disclosure of digital and AI-related risks. Still, they do not provide a comprehensive, comparable, and multi-stakeholder-oriented view of the sustainability-related impacts of artificial intelligence. This creates a regulatory and reporting gap, which the CSRD and ESRS have begun to address by integrating digital and data-related risks into a mandatory sustainability reporting framework [57].

2.4.3. Findings from Empirical Studies: Gaps, Boilerplate Disclosures, Emerging Practices

Existing research indicates that corporate reporting on risks related to artificial intelligence and digitalisation is still at an early stage of development and is characterised by significant substantive gaps, a predominance of generic or standardised disclosures, and only a limited number of emerging good practices. Companies tend to present artificial intelligence in their reports primarily as a source of innovation, efficiency, and competitive advantage, while adverse, indirect, and long-term effects of AI (such as algorithmic bias, non-transparent automated decision-making, intrusions into privacy, impacts on employee health, and systemic risks to fundamental rights) are either addressed only superficially or omitted altogether [18,57]. Companies within statements on ethical principles, legal compliance, and the responsible use of technology often mention AI-related risks. However, companies typically fail to disclose concrete information on actual AI use cases, identified risks, internal controls, assessment procedures, or the allocation of responsibilities within the organisation, which significantly reduces the informational value of such disclosures for investors and other stakeholders [41,57]. Such disclosures are particularly common among companies that rely on voluntary reporting standards, where the absence of precisely defined, verifiable requirements allows symbolic compliance without substantive depth [41].
Nevertheless, a review of corporate reports (especially those of large technology companies) reveals a growing number of cases in which firms disclose the establishment of AI governance structures, internal ethics committees, AI risk assessment processes, and linkages between the use of algorithms and fundamental rights, as well as impacts on consumers and employees [18]. These practices, however, remain fragmented, methodologically inconsistent, and limited to a small subset of companies. This confirms that existing voluntary frameworks do not provide sufficient incentives for systematic and comparable disclosure of AI-related risks [18,57].
Table 2 below presents how selected reporting frameworks address digital and AI-related risks.
The analytical framework was developed deductively based on three pillars:
(1)
disclosure requirements under ESRS (particularly ESRS 1, ESRS 2, and ESRS S4);
(2)
accountability and corporate governance literature addressing oversight of digital risks;
(3)
established methodological principles of qualitative content analysis [58,59].
The coding categories were pre-tested on two pilot reports to ensure clarity, internal consistency, and alignment with the research objectives.

2.5. Governance Risks of AI in Corporate Sustainability Reporting

2.5.1. Accountability: Governance Structures and Board Oversight

Accountability in corporate sustainability reporting is closely linked to the existence and effectiveness of a company’s governance structures. Management and supervisory bodies play a key role in overseeing material risks and shaping the company’s strategic direction. In modern corporate systems, management boards and supervisory boards are considered central accountability mechanisms, as their members are responsible for overseeing business operations, ensuring compliance with applicable laws and regulations, and safeguarding the interests of stakeholders [60]. Empirical research demonstrates that oversight effectiveness is often constrained by information asymmetries between management and supervisory bodies, the dominance of managerial perspectives, and a lack of expertise in complex, rapidly evolving domains [61]. These shortcomings are particularly pronounced in the areas of artificial intelligence, data governance, and cybersecurity. The technical complexity of digital technologies further hampers critical assessment and effective oversight at the board level [62]. Under such conditions, there is a risk that oversight of management remains formal and mainly symbolic, while disclosures in sustainability reports primarily serve to fulfil regulatory requirements. For this reason, the CSRD and the ESRS emphasise an enhanced role for governing bodies in the assessment, oversight, and disclosure of digital risks and implicitly require strengthened accountability, more precise allocation of responsibilities, and more informed supervision of companies’ digital transformation [35].

2.5.2. Due Diligence: Embedding AI in Human-Rights and Environmental Due Diligence

The due diligence process represents a central mechanism for identifying, preventing, and remedying the negative impacts of business activities on human rights and the environment. It is increasingly recognised as a fundamental element of modern corporate governance. In the context of digital transformation and the growing use of artificial intelligence, the scope of due diligence is expanding to include technological systems whose operation may give rise to indirect and systemic adverse effects, particularly in the areas of non-discrimination, privacy protection, personal data protection, and environmental sustainability [62]. Algorithmic processes associated with artificial intelligence can reproduce and amplify inequalities. At the same time, their deployment often relies on resource-intensive methods that may generate significant environmental footprints, particularly in energy consumption and the use of natural resources. Consequently, from an AI perspective, it is becoming essential to integrate artificial intelligence into due diligence systems. In the coming years, this will become increasingly necessary for companies seeking to conduct comprehensive risk assessments across their value chains. Regulatory developments at the EU level, including emerging due diligence obligations in human rights and environmental protection, as well as the requirements of the CSRD and ESRS, underscore the need to systematically link technological risks with existing due diligence frameworks [35]. Without the inclusion of artificial intelligence within due diligence processes, there is a risk that disclosures in sustainability reports will become formalistic and unable to capture the actual impacts of digital technologies on society and the environment. Such an approach weakens both corporate accountability and stakeholder protection [60].

2.5.3. Human Rights: Discrimination, Surveillance, Autonomy, and Consumer Fairness

The use of artificial intelligence poses numerous risks to human rights, particularly in the areas of non-discrimination, surveillance, personal autonomy, and consumer fairness. Through the deployment of artificial intelligence and algorithmic mechanisms, often based on historical and biased data, there is a risk that existing AI systems may reinforce and exacerbate social inequalities. This can lead to unequal treatment and discrimination in areas such as recruitment, credit scoring, and service pricing [63,64].
At the same time, artificial intelligence and its operational systems enable practices such as biometric identification, behavioural analysis, and large-scale profiling, thereby interfering with the right to privacy and creating environments of continuous surveillance that may restrict individual freedom of action and expression [63,64]. Such systems can reduce individual autonomy, as decisions are often made automatically without sufficient transparency [62]. In the context of consumer protection, this may result in unjustified differential treatment, manipulative business practices, and opaque personalisation and pricing strategies that can undermine principles of equal treatment and fair market practices [65,66].

2.5.4. Environmental Stewardship: Energy and Resource Intensity of AI Systems

From an environmental governance perspective, the increasing use of artificial intelligence is of significant importance due to its high energy and resource intensity. The development, training, and operation of large AI models require substantial computational capacity, leading to extensive electricity consumption and an increased carbon footprint, both during operation and across the entire lifecycle of the underlying hardware [67]. Research shows that the environmental impact of AI extends beyond the model training phase to include continuous inference, data storage, and the production and replacement of specialised hardware, with the embodied carbon footprint becoming increasingly significant [67,68]. Environmental governance thus becomes a critical issue for companies in the context of AI deployment. It requires systematic measurement, disclosure, and mitigation of the environmental impacts of digital tools. Consequently, the CSRD legislation and the ESRS increasingly and implicitly require companies to address environmental aspects of digitalisation within sustainability reporting, including the energy efficiency and carbon footprint of AI systems [35].

2.5.5. Conceptual and Practical Gaps in Current Disclosure Approaches

For conceptual clarity, this study distinguishes between three analytically related but distinct categories of digital risk. First, AI-related risks refer specifically to risks arising from algorithmic decision-making systems, including algorithmic bias, opacity in automated decision-making, accountability gaps, and the governance of AI models. Second, data governance risks include the collection, storage, processing, and protection of data, including privacy breaches, failures in personal data protection, and improper data management practices. Third, cybersecurity risks relate to technical system vulnerabilities, cyberattacks, IT infrastructure resilience, and operational disruptions. While these categories may overlap in practice, they represent conceptually distinct governance domains. The empirical analysis, therefore, treats AI-related risks as a specific subset of digital risks with particular accountability and sustainability implications. Despite the increasing level of digitalisation and the growing use of artificial intelligence in corporate reporting, existing disclosure practices remain burdened by significant conceptual and practical gaps. At the conceptual level, one key gap concerns reporting boundaries. In particular, this relates to whether digital risks are understood to cover only a company’s internal processes or also indirect impacts along the value chain, which results in fragmented and difficult-to-compare disclosures [69]. Different legislative frameworks and standards use similar concepts (such as materiality, risk, or impact) but interpret them in substantively different ways, further contributing to inconsistency and reducing the informational reliability of reports for stakeholders [70]. At the practical level, these conceptual ambiguities are reflected in selective, often declaratory disclosures, in which companies mention artificial intelligence, data governance, and cybersecurity but rarely explain concrete governance mechanisms, due diligence processes, or the actual impacts on the company, human rights, and the environment. This creates a growing need to reduce the gap between what companies report in their annual and sustainability reports and what they actually implement in practice. Such an approach opens space for impression management and weakens corporate accountability [69,71]. Although legislative measures such as the CSRD represent an essential step toward greater standardisation, current practices reveal limited integration of digital risks into comprehensive governance, due diligence, and performance measurement systems. Without more explicit conceptual guidance and more operational requirements concerning artificial intelligence, there is a risk that future disclosures will remain formally compliant yet substantively insufficient for a genuine assessment of the social, environmental, and human rights impacts of companies’ digital transformation [35].

3. Research Methodology and Research Sample Used

3.1. Methodology

The study adopts a multiple-case study design combined with cross-sectional comparative qualitative content analysis. It focuses on the structured analysis of disclosure patterns across multiple cases rather than on in-depth narrative reconstruction of individual companies. The method was chosen because it is particularly suitable for an in-depth empirical analysis of contemporary, complex phenomena in their real-life context [58]. The selected case study method enables the researcher to focus on specific phenomena and examine and understand them in detail. More specifically, this method allows for a thorough investigation of internal processes and the interrelationships among the observed elements. The case study approach is appropriate for this research because it facilitates empirical investigation of contemporary phenomena in real-world settings, where the boundaries between the phenomenon and its context are not clearly defined [59,72]. Such an approach is especially relevant for the study of sustainability reporting, where corporate disclosures result from the interaction of legal obligations, corporate governance structures, strategic decisions, and organisational culture. The chosen analytical framework enables a systematic analysis and comparison of disclosures related to risks associated with artificial intelligence, data governance, and cybersecurity. These risks are increasingly material in the context of corporate sustainability and are being incorporated into companies’ sustainability reports. They are closely linked to the digital transformation of business models, while the regulatory framework governing their disclosure is still evolving and remains fragmented. For these reasons, a qualitative, comparative case study approach is more appropriate than purely quantitative methods, as it allows for an assessment of the content, structure, and quality of disclosures [28,58,59,72].
The study uses qualitative content analysis. Sustainability and annual reports of the selected companies were analysed according to predefined categories. Particular attention was paid to distinguishing between purely declarative statements on digital risks and disclosures that include concrete governance structures, internal policies, oversight procedures, and measurable outcomes. Based on the collected results, a comparative analysis was conducted across the examined companies. The findings enable interpretation of reporting practices across individual companies, sectors, and countries. In this way, the study contributes to an understanding of the extent to which current sustainability reporting systems effectively enable transparent and accountable treatment of digital risks, and to identifying areas where further improvements are required [28,72].

3.2. Sample and Data Sources

The empirical part of the study includes a selected sample of twenty companies operating across four sectors with differing levels of digital intensity and regulatory exposure. The selection of companies was based on predefined inclusion criteria. The sample includes large undertakings headquartered in EU Member States that are subject to the CSRD reporting obligation and that published a full sustainability or annual report for the 2024 financial year. All companies exceed the CSRD size thresholds (balance sheet total, net turnover, and number of employees) and therefore qualify as large entities under EU law. Companies without publicly available complete reports or outside the selected jurisdictions were excluded. The aim of the sampling strategy was not statistical representativeness but analytical comparability across sectors and governance contexts. The companies included in the research come from the telecommunications, financial services, pharmaceutical, and retail sectors. They are headquartered in five EU Member States (Slovenia, Germany, Italy, France, and Spain), which enables a comparison of disclosures across different national and regulatory environments within a unified European legal framework. The selection of companies and sectors is based on the assumption that telecommunications and financial services are highly digital-intensive and subject to strict regulation. In contrast, the pharmaceutical sectors, as well as retail, are exposed to digital risks in different, often less standardised ways. The distribution of companies across industries was balanced to enable analytical comparison; however, subgroup sizes remain small and are therefore interpreted cautiously within a qualitative research logic. The sample was structured to ensure cross-country and cross-sector comparability, with one company per sector selected from each of the five analysed EU Member States. Consequently, the chosen sample enables the identification of systematic differences in reporting practices and the assessment of whether the level of digital exposure is reflected in the quality of disclosures. The analysis was conducted using publicly available annual and sustainability reports published by the companies for the 2024 financial year. The study deliberately limits its scope to the content of these reports, as they serve as the primary instruments for achieving the objectives of transparency, accountability, and stakeholder communication pursued by contemporary reporting frameworks such as the CSRD, GRI, and ISSB. All sustainability reports of the selected companies included in the study are based on the Corporate Sustainability Reporting Directive (CSRD) framework and the European Sustainability Reporting Standards (ESRS). This focus is justified, as the CSRD is a mandatory regulatory framework that large companies operating within the European Union must apply, whereas the other frameworks considered are voluntary. At the same time, as established in Section 2.4, which compared disclosure requirements related to artificial intelligence risks across different normative frameworks, the CSRD contains the most comprehensive set of requirements for the disclosure of digital- and AI-related risks. Consequently, the use of the CSRD framework in the empirical part of the study is both appropriate and methodologically justified [58,72].

3.3. Research Design and Analytical Instrument

The empirical analysis was conducted using a pre-designed content analysis table, which serves as the central research instrument. Table 3 was developed specifically to examine the data and address the research question and is aligned with the disclosure logic of the CSRD and the ESRS. The analytical instrument covers three main areas: (1) risks related to artificial intelligence, (2) data governance and privacy protection, and (3) cybersecurity. Each coding item was conceptually mapped to specific ESRS disclosure expectations. For example, items relating to governance structures correspond to ESRS 2 governance disclosures; inclusion of digital risks in materiality assessments reflects the double materiality logic under ESRS 1; and items concerning privacy, data governance, and human rights link to ESRS S4 requirements. This mapping ensured that the analytical instrument reflects normative disclosure dimensions rather than researcher-defined categories.
For each of these areas, the empirical analysis assesses, using a binary (YES/NO) coding approach, whether the annual or sustainability reports of the selected companies include: (i) explicit statements regarding the existence of digital risks; (ii) descriptions of governance structures and responsibilities; (iii) disclosures of relevant policies and internal rules; (iv) the inclusion of digital risks in risk management or materiality assessments; and (v) the disclosure of key performance indicators (KPIs), where such indicators are reported. During coding, these categories were treated as analytically distinct dimensions, and disclosures were classified by their primary governance focus to avoid conceptual overlap. The binary coding approach was selected to capture the structural presence or absence of governance-relevant disclosure elements in a transparent and replicable manner. While binary coding does not measure narrative depth in a qualitative sense, it allows for the systematic identification of whether core accountability components are disclosed [58,59].
Individual items in the content analysis table were coded (as described above), with page references and brief content descriptions added. This approach ensures greater methodological transparency and reduces subjective interpretation. The observation was conducted using a pre-designed content analysis table (as shown in Figure 1 below), and the analysis was carried out on a sample of 20 companies. While the sample size does not allow for statistical generalisation, the study follows the logic of analytical generalisation typical of qualitative case study research [70]. The objective is not to establish universal prevalence rates but to identify structural reporting patterns and governance tendencies across sectors. Coding was initially conducted by one researcher and subsequently reviewed by the remaining authors. Discrepancies and ambiguities were discussed collectively until consensus was reached. Although formal interrater reliability statistics were not calculated due to the qualitative case study design and limited sample size, coding consistency was ensured through iterative review and consensus-based validation among the authors. This approach aligns with the logic of analytical generalisation typical of qualitative governance research, where interpretative coherence and methodological transparency are prioritised over statistical inference. Given the exploratory and qualitative nature of the study and the limited sample size, formal interrater reliability coefficients were not calculated; instead, coding robustness was ensured through iterative cross-review, discussion of borderline cases, and documented consensus validation. [58,59]. The overall research design and analytical structure are presented in Figure 2.

3.4. Research Question

The study is designed around a single fundamental research question that derives directly from the research objectives and the theoretical and normative foundations of sustainability reporting. The research question is formulated as follows:
RQ1: 
How do corporations currently disclose AI-related risks in their sustainability reporting, and which ESG principles (accountability, due diligence, human rights, environmental stewardship) are most frequently engaged in these disclosures?
The stated questions enable an assessment of both the scope of sustainability disclosures and their quality, in particular the degree of standardisation, the linkage to governance mechanisms, and the presence of accountability elements as required by contemporary regulatory and reporting frameworks. These questions allow for an analysis of the regulatory and standard-setting environment and explain how different concepts of materiality, differing focal points (investors versus stakeholders), and varying levels of normative obligation influence the actual disclosure of digital and AI-related risks. The study employs a mixed methodological approach, primarily qualitative content analysis, legal-comparative analysis of standards, and thematic coding. This approach is well-suited to research in law, governance, and ESG reporting.

4. Research Results

The analysis of the 2024 annual report disclosures of the selected companies clearly reveals a pronounced asymmetry between the treatment of digital risks and risks related to artificial intelligence. While the majority of the analysed companies disclose risks related to cybersecurity and data protection, AI as a standalone risk category is explicitly disclosed in only a few cases. The results indicate that AI is still predominantly framed as a strategic opportunity or an operational optimisation, rather than as a source of risk from an accountability perspective. Explicit disclosure of risks related to artificial intelligence within the analysed sample is minimal. Among the 20 selected companies, only a minority reported AI-related risks. More specifically, only 2 out of 20 companies (approximately 10%) disclosed such information, identifying artificial intelligence as a source of risk in the context of ethical, security, or social challenges. Therefore, a small subset of companies demonstrated more advanced AI governance disclosure practices. For example, one financial sector company explicitly outlined the board-level oversight responsibilities and referred to structured AI risk assessments integrated into its enterprise risk management system. In contrast, several companies mentioned AI only in strategic innovation sections, without disclosing associated risks, governance mechanisms, or accountability structures. Such disclosures illustrate a predominantly symbolic approach, where AI is framed positively while risk dimensions remain unaddressed. A significantly larger number of companies included in the study disclosed information on cybersecurity and data protection. More than half of the analysed companies explicitly addressed cybersecurity risks in their annual reports. In particular, 13 out of 20 companies (65%) reported on cybersecurity-related issues. Similarly, approximately half of the companies reported on data governance and privacy protection, with 9 of 20 (45%) providing such disclosures. All percentages reported in this section are calculated from the total sample of 20 companies and are derived directly from the binary coding table presented in Figure 3. These results suggest that companies predominantly perceive digital risks as traditional operational and compliance risks, while AI-related risks, as a distinct topic, remain vastly underreported. Figure 3 below presents an overview of corporate disclosures.
From an ESG perspective, the principle of accountability most frequently appears in corporate disclosures. This is most reflected in descriptions of governance structures, internal controls, and companies’ risk management systems. This principle is typically associated with cybersecurity and data protection, and less frequently with artificial intelligence. In addition to accountability, the principle of due diligence also appears in annual reports, most often in the form of technical and organisational measures, such as ISO standards and security protocols. Only in exceptional cases does this principle extend to broader societal assessments or analyses of AI’s ethical impacts. Human rights are likewise predominantly linked to digital risks, most often through the right to privacy. Based on the reported findings, four types of companies can be identified: (1) companies that explicitly address AI as a risk; (2) companies that disclose digital risks while AI remains implicit or is addressed primarily as an opportunity; (3) companies whose reporting is mainly limited to cybersecurity-related issues; and (4) companies in which digital and AI-related risks are absent from reporting. For example, companies classified under the first type (explicit AI risk disclosure) typically referred to AI-specific oversight mechanisms, such as dedicated AI governance committees or formalised AI risk assessment procedures embedded in enterprise risk management systems. By contrast, companies in the second type framed AI primarily as a strategic innovation tool, emphasising productivity gains without reference to risk-mitigation processes. Firms in the third category limited their disclosures to cybersecurity resilience, data protection compliance, IT system resilience, and IT risk controls, without mentioning AI-related governance or algorithmic decision-making systems. Finally, companies in the fourth category did not include any substantive reference to digital or AI-related risks within their sustainability disclosures beyond general compliance statements.
The results of the study demonstrate that the disclosure of AI-related risks in companies’ annual reports remains limited to a very narrow group of firms.
From a sectoral reporting perspective, companies in the banking sector achieved the highest level of disclosure, reporting on average 50% of the examined information. Banks disclosed cybersecurity and data protection risks to a significant extent, and 60% of the analysed banks integrated digital risks into their risk management systems or double materiality assessments. Only one bank treated AI as a standalone risk. Companies followed the banking sector, which achieved an average disclosure level of 38%. A review of the reported information shows a wide range of practices among telecommunications companies, from highly advanced reporting on AI risks, ethics, and human rights to complete disclosure absence. Companies in the pharmaceutical sector reported, on average, 36% of the required information. This sector exhibits a medium level of maturity, with relatively frequent reporting on cybersecurity and data protection. However, companies did not explicitly address AI-related risks, as AI was predominantly presented as an innovation tool rather than a source of risk. The lowest level of disclosure was observed in the retail sector. On average, companies reported only 8% of the required information. As many as 80% of the analysed retail companies did not disclose any digital or AI-related risks. Figure 4 below presents an overview of corporate disclosures by sector.
An analysis of corporate reporting by country shows that companies from France achieved the highest level of disclosure, reporting on average 40% of the examined information. They were followed by companies from Italy, with an average disclosure level of 37.5%. Companies from Spain followed, reporting approximately 30% of the information. Finally, companies from Slovenia and Germany reported the lowest levels, each disclosing on average 15% of the required information. Figure 5 below presents an overview of corporate disclosures by country.
The study also finds that existing reporting frameworks, such as the CSRD and ESRS, enable companies to disclose digital and AI-related risks in a structured manner. However, this potential has not yet been fully realised in practice. Companies often follow a formal disclosure logic that includes descriptions of governance, risks, and materiality, but this logic rarely translates into substantively profound and measurable reporting. This limitation is most evident in the disclosure of key performance indicators. Almost none of the analysed companies disclosed quantitative indicators related to AI or digital risks. Consequently, the reported information in annual reports largely remains at a narrative and descriptive level, rather than being presented in a form that would allow for comparability and measurement of the disclosed data.
Based on the results, individual standards and reporting frameworks appear to be more effective at capturing well-established digital topics, such as cybersecurity and data protection. These topics have a long history of regulation and institutionalisation. In contrast, artificial intelligence, as a relatively new and rapidly evolving technology, is less well conceptualised within existing materiality assessments. Even in cases where companies conduct double materiality assessments, AI rarely emerges as a standalone material topic and is instead most often subsumed under broader categories of digitalisation or innovation. Differences between individual frameworks (particularly between those with a stronger investor focus and those adopting a stakeholder-oriented approach) are reflected in practice in the quality of AI risk disclosures. Although it could be expected that frameworks oriented toward stakeholder impacts would strengthen the linkage between AI and human rights, the empirical results do not confirm this expectation. Current standards and reporting frameworks do not prevent the disclosure of AI-related risks. Still, they do not create sufficiently strong incentives for companies to systematically identify, operationalise, and measure such risks.
A detailed examination of the research question and its interpretation in light of the obtained results indicates that, in 2024, companies disclose digital risks selectively and unevenly. Disclosures related to cybersecurity and data protection dominate reporting, while AI as a standalone risk remains largely undisclosed or marginalised. Sustainability and ESG principles appear in disclosures primarily in the form of accountability and governance, and much less frequently in due diligence and human rights protection when AI is concerned. Existing reporting frameworks and standards provide companies with an appropriate structural foundation; however, in practice, this often results in minimal compliance rather than substantively deep, measurable outcomes. This creates a clear gap between the rapid digital transformation of companies and the maturity of sustainability reporting. The results of the study, therefore, confirm that improving the quality of disclosures requires not only the formal adoption of new standards but also a more precise conceptualisation of AI-related risks and their integration into materiality assessments, corporate strategy, and risk management systems.

5. Conclusions and Further Discussion

The purpose of the study was to examine how European companies, in practice, report and disclose information related to digitalisation and artificial intelligence risks, and to assess the extent to which existing reporting frameworks enable or constrain such disclosures. Based on a systematic qualitative content analysis of annual reports of selected companies across multiple sectors and countries, the study produced several significant findings.
First, the results clearly indicate that explicit disclosure of AI-related risks in corporate reporting remains rare. Except for a small number of companies, most firms still primarily view AI as a technological opportunity and driver of efficiency and innovation, rather than as a standalone risk. This confirms that AI has not yet been fully internalised as a risk category in current practice within the context of sustainable corporate governance.
Second, the findings show that companies predominantly address digital risks through cybersecurity and data protection. These areas are far more frequently integrated into risk management systems and materiality assessments, indicating that they are already institutionally and conceptually embedded within existing governance and regulatory frameworks. Results suggest that cybersecurity and data protection often function as substitutes for a broader discussion of AI-related risks.
Third, the study reveals a pronounced lack of quantitative indicators related to AI and digital risk reporting. Even in cases where companies provide relatively detailed descriptions of governance structures, policies, and processes, disclosures rarely extend to the level of measurement and performance evaluation. In light of the research question, it can be concluded that most companies do not yet systematically and explicitly disclose AI-related risks.
The results highlight a significant tension between the regulatory ambition of reporting frameworks and actual reporting practices. While the CSRD and ESRS theoretically provide a sufficiently broad and structured framework for the disclosure of digital and AI-related risks, the empirical findings demonstrate that companies mainly utilise these possibilities at the level of narrative descriptions and governance structures, rather than at the level of measurement and comparability. The study makes an essential contribution to understanding the existing gap between normative expectations and empirical reporting practice concerning AI-related risks. The results suggest that the current landscape represents a transitional phase in which digital risks are entering sustainability reporting, though mainly in limited and indirect ways. In conclusion, AI-related risks are not yet addressed in sustainability reporting at a level commensurate with their actual social, ethical, and economic significance. Although the CSRD and the ESRS represent an essential step toward more standardised sustainability reporting, the findings indicate that truly high-quality reporting on AI-related risks will require not only adjustments to reporting standards but also changes in companies’ internal governance practices. With respect to theoretical implications, the findings extend sustainability reporting theory by demonstrating that AI-related risks remain institutionally under-embedded despite formal integration within double materiality frameworks. This suggests that regulatory incorporation does not automatically translate into substantive governance internalisation. Regarding practical implications, the findings for regulators indicate the need for more explicit AI-specific disclosure guidance within sustainability standards. For corporate boards, the results underscore the importance of integrating AI governance into materiality assessments and risk management systems. For investors and auditors, the study highlights the need to scrutinise narrative AI disclosures and demand measurable governance indicators. Given that only 10% of analysed companies explicitly disclose AI-related risks, the findings clearly demonstrate a substantial gap between regulatory expectations and corporate reporting practice.
Our findings indicate that translating different materiality concepts into reporting practice remains uneven. While the CSRD/ESRS architecture embeds digital risks within the logic of double materiality, the empirical analysis shows that AI-related risks rarely emerge as standalone material topics. Instead, they are frequently subsumed under broader categories of digitalisation, innovation, or IT risk. This suggests that the conceptual distinction between financial materiality, impact materiality, and double materiality does not automatically translate into differentiated, operationalised disclosures in practice. This pattern is consistent with prior research on symbolic versus substantive sustainability reporting, which demonstrates that the formal adoption of reporting frameworks does not necessarily translate into measurable governance integration. Similar to findings from earlier studies on NFRD implementation and early-stage CSRD adoption, companies appear to prioritise well-institutionalised, compliance-driven topics (e.g., cybersecurity and data protection), while emerging, more complex governance domains, such as AI-related risks, remain underdeveloped in disclosure practice.
Looking ahead, future revisions of the ESRS or the development of AI-specific disclosure guidance could significantly strengthen the explicit treatment of artificial intelligence risks within sustainability reporting. Possible developments may include the introduction of mandatory AI governance disclosures, standardised indicators for algorithmic risk assessment, and more straightforward integration of AI-related human rights impacts into double materiality processes. Closer alignment between the ESRS framework and the EU Artificial Intelligence Act may also provide a more coherent regulatory architecture, ensuring that AI-related risks are not only governed technically but also transparently disclosed within corporate sustainability reporting. Understanding and disclosing AI-related risks thus remains one of the key challenges for the future development of ESG reporting in Europe. While the findings indicate that regulatory incorporation alone does not ensure substantive AI risk disclosure, the limited reporting observed in this study may also be influenced by organisational factors beyond regulation. These may include differences in internal management maturity, technical expertise in AI governance, reputational sensitivity, strategic confidentiality concerns, and the early-stage development of internal AI risk assessment practices. This study is subject to certain limitations. First, although the companies operate within a harmonised EU regulatory framework, cross-country differences in reporting culture and supervisory practices may affect disclosure comparability. Second, sectoral heterogeneity in digital exposure and regulatory intensity may partially explain variations in reporting depth. Third, the analysis reflects the early-stage implementation of the CSRD regime for the 2024 reporting cycle. Future research could adopt a longitudinal design to assess whether AI-related risk disclosures evolve and mature across subsequent reporting periods.

Author Contributions

Conceptualisation, M.Č., A.P. and J.B.; methodology, M.Č., A.P. and J.B.; resources, M.Č., A.P. and J.B.; writing—original draft preparation, M.Č., A.P. and J.B.; formal analysis, M.Č., A.P. and J.B.; writing—review and editing, M.Č., A.P. and J.B.; visualisation, M.Č., A.P. and J.B. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Barocas, S.; Hardt, M.; Narayanan, A. Fairness and Machine Learning: Limitations and Opportunities; MIT Press: Cambridge, MA, USA, 2023. [Google Scholar]
  2. Lee, S.U.; Perera, H.; Liu, Y.; Xia, B.; Lu, Q.; Zhu, L.; Cairns, J.; Nottage, M. Integrating ESG and AI: A comprehensive responsible AI assessment framework. AI Ethics 2025, 5, 5121–5148. [Google Scholar] [CrossRef]
  3. Strubell, E.; Ganesh, A.; McCallum, A. Energy and policy considerations for deep learning in NLP. In Proceedings of the 57th Annual Meeting of the Association for Computational Linguistics, Florence, Italy, 28 July–2 August 2019. [Google Scholar]
  4. Wagner, P. Cross-Divisional Cybersecurity Risk Management in Automotive: Requirements and Current Practices. In Proceedings of the 2025 IEEE 30th International Conference on Emerging Technologies and Factory Automation (ETFA), Porto, Portugal, 9–12 September 2025. [Google Scholar]
  5. Primec, A. Catalyzing Sustainable Corporate Governance: A Legal Examination of the CSR Reporting. In Corporate Governance and CSR Strategies for Sustainability; IGI Global Scientific Publishing: Hershey, PA, USA, 2024; pp. 100–130. [Google Scholar]
  6. Chang, X.; Fu, K.; Jin, Y.; Liem, P.F. Sustainable finance: ESG/CSR, firm value, and investment returns. Asia-Pac. J. Financ. Stud. 2022, 51, 325–371. [Google Scholar]
  7. Barker, R.; Eccles, R.G. Should FASB and IASB be responsible for setting standards for nonfinancial information? Account. Bus. Res. 2018, 48, 497–514. [Google Scholar]
  8. Flammer, C. Corporate social responsibility and shareholder reaction: The environmental awareness of investors. Acad. Manag. J. 2013, 56, 758–781. [Google Scholar] [CrossRef]
  9. Čufar, M.; Belak, J.; Primec, A. Beyond compliance: Leveraging NFRD and CSRD for transformative CSR reporting and stakeholder empowerment in corporate governance. In Corporate Governance and CSR Strategies for Sustainability; IGI Global: Hershey, PA, USA, 2024; pp. 233–261. [Google Scholar]
  10. Eccles, R.G.; Klimenko, S. The investor revolution. Harv. Bus. Rev. 2019, 97, 106–116. [Google Scholar]
  11. EFRAG. Implementation Guidance on Double Materiality; EFRAG: Brussels, Belgium, 2023. [Google Scholar]
  12. Pizzi, S.; Venturelli, A.; Caputo, F. Regulating sustainability reporting in Europe: De jure harmonisation or de facto standardisation? Account. Eur. 2025, 22, 51–75. [Google Scholar] [CrossRef]
  13. Primec, A.; Tičar, B.; Pastirk, G. Corporate Social Responsibility of Companies and Directors in Light of New EU Legislation: CSRD, Due Diligence Directive, and Simplification Proposals. In Investigating Directors’ Accountability in Promoting Corporate Social Responsibility; IGI Global Scientific Publishing: Hershey, PA, USA, 2026; pp. 99–130. [Google Scholar]
  14. Zhang, Q.; Ding, R.; Chen, D.; Zhang, X. The effects of mandatory ESG disclosure on price discovery efficiency around the world. Int. Rev. Financ. Anal. 2023, 89, 102811. [Google Scholar] [CrossRef]
  15. Stubbs, W.; Higgins, C. Stakeholders’ perspectives on the role of regulatory reform in integrated reporting. J. Bus. Ethics 2018, 147, 489–508. [Google Scholar]
  16. Floridi, L.; Cowls, J.; Beltrametti, M.; Chatila, R.; Chazerand, P.; Dignum, V.; Luetge, C.; Madelin, R.; Pagallo, U.; Rossi, F.; et al. AI4People—An ethical framework for a good AI society: Opportunities, risks, principles, and recommendations. Minds Mach. 2018, 28, 689–707. [Google Scholar] [CrossRef] [PubMed]
  17. Birkel, H.S.; Veile, J.W.; Müller, J.M.; Hartmann, E.; Voigt, K.-I. Development of a risk framework for Industry 4.0 in the context of sustainability. Sustainability 2019, 11, 384. [Google Scholar] [CrossRef]
  18. Sætra, H.S. AI in context and the sustainable development goals: Factoring in the unsustainability of the sociotechnical system. Sustainability 2021, 13, 1738. [Google Scholar] [CrossRef]
  19. Vinuesa, R.; Azizpour, H.; Leite, I.; Balaam, M.; Dignum, V.; Domisch, S.; Felländer, A.; Langhans, S.D.; Tegmark, M.; Nerini, F.F. The role of artificial intelligence in achieving the Sustainable Development Goals. Nat. Commun. 2020, 11, 233. [Google Scholar] [CrossRef]
  20. Lim, T. Environmental, social, and governance (ESG) and artificial intelligence in finance: State-of-the-art and research takeaways. Artif. Intell. Rev. 2024, 57, 76. [Google Scholar] [CrossRef]
  21. Fioravante, R. Beyond the business case for responsible artificial intelligence: Strategic CSR in light of digital washing and the moral human argument. Sustainability 2024, 16, 1232. [Google Scholar] [CrossRef]
  22. NIST. AI Risk Management Framework; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2023. [Google Scholar]
  23. European Union. Artificial Intelligence Act. In Official Journal of the European Union; European Union: Brussels, Belgium, 2024. [Google Scholar]
  24. ISO/IEC 42001; Artificial Intelligence Management Systems. ISO: Geneva, Switzerland, 2023.
  25. OECD. Framework for the Classification of AI Systems; OECD Publishing: Paris, France, 2022. [Google Scholar]
  26. Čufar, M. Vpliv Nefinančnega Poročanja na Trajnostno Korporativno Upravljanje. Ph.D. Thesis, University of Maribor, Maribor, Slovenia, 2025. [Google Scholar]
  27. Andrades, J.; Martinez-Martinez, D.; Larrán, M. Sustainability reporting, institutional pressures and universities: Evidence from the Spanish setting. Sustain. Account. Manag. Policy J. 2024, 16, 1045–1071. [Google Scholar] [CrossRef]
  28. Yang, X.; Shu, L.; Liu, Y.; Hancke, G.P.; Ferrag, M.A.; Huang, K. Physical Security and Safety of IoT Equipment: A Survey of Recent Advances and Opportunities. IEEE Trans. Ind. Inform. 2022, 18, 4319–4330. [Google Scholar] [CrossRef]
  29. Borghesi, S.; Costantini, V.; D’Amato, A.; Dibattista, I.; Koundouri, P.; Li, Q.; Mazzarano, M.; Sterner, T.; Tiwari, M.M.; Vis, P.; et al. Reforming ESG: A European and Global South perspective. Environ. Dev. Econ. 2025, 30, 282–296. [Google Scholar] [CrossRef]
  30. Baumüller, J.; Grbenic, S.O. Moving from non-financial to sustainability reporting: Analyzing the EU Commission’s proposal for a Corporate Sustainability Reporting Directive (CSRD). Facta Univ. Ser. Econ. Organ. 2021, 18, 369–381. [Google Scholar] [CrossRef]
  31. Breijer, R.; Erkens, M.H.; Orij, R.P.; Vergoossen, R.G.A. Mandatory versus voluntary non-financial reporting: Reporting practices and economic consequences. Account. Forum 2025, 49, 303–335. [Google Scholar] [CrossRef]
  32. Bossut, M.; Jürgens, I.; Pioch, T.; Schiemann, F.; Spandel, T.; Tietmeyer, R. What Information Is Relevant for Sustainability Reporting? The Concept of Materiality and the EU Corporate Sustainability Reporting Directive; Policy Brief 7; Sustainable Finance Research Platform: Frankfurt, Germany, 2021. [Google Scholar]
  33. Dragomir, V.D.; Dumitru, M.; Chersan, I.C.; Gorgan, C.; Păunescu, M. Double materiality disclosure as an emerging practice: The assessment process, impacts, risks, and opportunities. Account. Eur. 2025, 22, 103–140. [Google Scholar] [CrossRef]
  34. European Commission. Directive (EU) 2022/2464 (CSRD). In Official Journal of the European Union; European Commission: Brussels, Belgium, 2022. [Google Scholar]
  35. Szabó, D.G.; Sørensen, K.E. Non-financial reporting, CSR frameworks and groups of undertakings: Application and consequences. J. Corp. Law Stud. 2017, 17, 137–165. [Google Scholar] [CrossRef]
  36. Elidrisy, A. Comparative review of ESG reporting standards: ESRS European Sustainability Reporting Standards versus ISSB International Sustainability Standards Board (comparative analysis of ESG reporting standards). Int. Multiling. J. Sci. Technol. 2024, 9, 7191–7198. [Google Scholar]
  37. Yeung, K. Algorithmic regulation: A critical interrogation. Regul. Gov. 2018, 12, 505–523. [Google Scholar] [CrossRef]
  38. Fragidis, G.; Papafloratos, T. An Information Architecture for the European Sustainability Reporting Standards (ESRS). Sustainability 2025, 17, 7675. [Google Scholar] [CrossRef]
  39. Isaksson, R.; Steimle, U. What does GRI-reporting tell us about corporate sustainability? TQM J. 2009, 21, 168–181. [Google Scholar] [CrossRef]
  40. Busco, C.; D’Eri, A.; Novembre, V. Corporate disclosure. In Information as a Driver of Sustainable Finance: The European Regulatory Framework; Springer International Publishing: Cham, Switzerland, 2022; pp. 77–111. [Google Scholar]
  41. Gaviria, D.; Martínez, E.M.C.; Polo, O.C.C.; Arcila, J.O.S. Accounting mechanism to measure the environmental impact of industries in the Aburrá Valley and its application of the general disclosure requirements related to Financial Information on Sustainability (IFRS S1) and Climate-Related Disclosures (IFRS S2). Rev. Gest. Soc. E Ambient. 2023, 17, 1–16. [Google Scholar] [CrossRef]
  42. Indyk, M. Are the companies prepared for sustainability reporting under the ED IFRS S1 and S2? Evidence from Poland. Audit Financ. 2022, 20, 641–654. [Google Scholar] [CrossRef]
  43. Bose, S. Evolution of ESG reporting frameworks. In Values at Work: Sustainable Investing and ESG Reporting; Springer International Publishing: Cham, Switzerland, 2020; pp. 13–33. [Google Scholar]
  44. Guix, M.; Sánchez, J.J.N.; Priego, M.J.B.; Font, X. The changing institutional logics behind sustainability reports from the largest hotel groups in the world in 2014, 2018 and 2021. Tour. Manag. 2025, 106, 105031. [Google Scholar] [CrossRef]
  45. Stolowy, H.; Paugam, L. Sustainability reporting: Is convergence possible? Account. Eur. 2023, 20, 139–165. [Google Scholar]
  46. Fagbemi, B.T.; Saah, B.P.; Nduka, A.I.; Aloke, E.M. The evolution of ESG and sustainability reporting: A review of standards, challenges, and impacts on corporate transparency. J. Econ. Bus. Commer. 2025, 2, 297–305. [Google Scholar] [CrossRef]
  47. Zhang, X. Influence mechanism of digital technology on environmental, social, and governance (ESG) responsibility fulfilment of construction enterprises from the perspective of sustainability. J. Asian Archit. Build. Eng. 2025, 1–23. [Google Scholar] [CrossRef]
  48. Velte, P.; Obermann, J. Compensation-related institutional investor activism—A literature review and integrated analysis of sustainability aspects. J. Glob. Responsib. 2021, 12, 22–51. [Google Scholar] [CrossRef]
  49. Ng, A.W.; Leung, T.C.H.; Yu, T.W.; Cho, C.H.; Wut, T.M. Disparities in ESG reporting by emerging Chinese enterprises: Evidence from a global financial center. Sustain. Account. Manag. Policy J. 2023, 14, 343–368. [Google Scholar] [CrossRef]
  50. Menicucci, E. ESG regulations and concepts. In ESG Integration in the Banking Sector: Navigating Regulatory Frameworks and Strategic Challenges for Financial Institutions; Springer Nature Switzerland: Cham, Switzerland, 2025; pp. 5–26. [Google Scholar]
  51. De Micco, P.; Rinaldi, L.; Vitale, G.; Cupertino, S.; Maraghini, M.P. The challenges of sustainability reporting and their management: The case of Estra. Meditari Account. Res. 2021, 29, 430–448. [Google Scholar] [CrossRef]
  52. Aldowaish, A.; Kokuryo, J.; Almazyad, O.; Goi, H.C. Environmental, social, and governance integration into the business model: Literature review and research agenda. Sustainability 2022, 14, 2959. [Google Scholar] [CrossRef]
  53. Bovens, M. Analysing and assessing accountability: A conceptual framework 1. Eur. Law J. 2007, 13, 447–468. [Google Scholar] [CrossRef]
  54. Schillemans, T.; Bovens, M. The challenge of multiple accountability. In Accountable Governance: Problems and Promises; Routledge Publishing: New York, NY, USA, 2011; pp. 3–21. [Google Scholar]
  55. Boggini, C. Reporting cybersecurity to stakeholders: A review of CSRD and the EU cyber legal framework. Comput. Law Secur. Rev. 2024, 53, 105987. [Google Scholar] [CrossRef]
  56. Wachter, S.; Mittelstadt, B. A right to reasonable inferences: Re-thinking data protection law in the age of big data and AI. Columbia Bus. Law Rev. 2019, 2019, 494–620. [Google Scholar]
  57. Hagendorff, T. The ethics of AI ethics: An evaluation of guidelines. Minds Mach. 2020, 30, 99–120. [Google Scholar] [CrossRef]
  58. Krippendorff, K. Content Analysis: An Introduction to Its Methodology, 4th ed.; Sage Publications: Thousand Oaks, CA, USA, 2018. [Google Scholar]
  59. Stemler, S.E. Content Analysis. In Emerging Trends in the Social and Behavioral Sciences: An Interdisciplinary, Searchable, and Linkable Resource; John Wiley & Sons, Inc.: Hoboken, NJ, USA, 2015; pp. 1–14. [Google Scholar]
  60. Okonkwo, V. On User Manipulation: A Measured Approach to Regulating Online Exploitation by Subterfuge. SSRN Electron. J. 2024. [Google Scholar] [CrossRef]
  61. Hildebrandt, M.; Rouvroy, A. Law, Human Agency and Autonomic Computing: The Philosophy of Law Meets the Philosophy of Technology; Routledge: Abingdon, UK, 2011. [Google Scholar]
  62. Dror-Shpoliansky, D.; Shany, Y. It’s the End of the (Offline) World as We Know It: From Human Rights to Digital Human Rights—A Proposed Typology. Eur. J. Int. Law 2021, 32, 1249–1282. [Google Scholar] [CrossRef]
  63. Sartor, G. Artificial Intelligence and Human Rights: Between Law and Ethics. Maastricht J. Eur. Comp. Law 2020, 27, 705–719. [Google Scholar] [CrossRef]
  64. Wu, C.J.; Raghavendra, R.; Gupta, U.; Acun, B.; Ardalani, N.; Maeng, K.; Lee, J.; Tung, L.; Zhao, Q.; Annavaram, M.; et al. Sustainable AI: Environmental Implications, Challenges and Opportunities. Proc. Mach. Learn. Syst. 2022, 4, 795–813. [Google Scholar]
  65. Chrisley, R. Embodied Artificial Intelligence. Artif. Intell. 2003, 149, 131–150. [Google Scholar] [CrossRef]
  66. Zrnić, A.; Starčević, D.P.; Crnković, B. Recent Trends in Sustainability Reporting: Literature Review and Implications for Future Research. Ekon. Vjesn./Econviews—Rev. Contemp. Bus. Entrep. Econ. Issues 2020, 33, 271–283. [Google Scholar]
  67. Mio, C.; Agostini, M.; Scarpa, F. Sustainability Reporting: Conception, International Approaches and Double Materiality in Action; Springer Nature: Cham, Switzerland, 2024. [Google Scholar]
  68. Miles, S.; Ringham, K. The boundary of sustainability reporting: Evidence from the FTSE 100. Account. Audit. Account. J. 2020, 33, 357–390. [Google Scholar] [CrossRef]
  69. Yin, R.K. Case Study Research: Design and Methods, 4th ed.; Sage Publications: Thousand Oaks, CA, USA, 2009. [Google Scholar]
  70. Bell, E.; Harley, B.; Bryman, A. Business Research Methods, 6th ed.; Oxford University Press: Oxford, UK, 2022. [Google Scholar]
  71. Kohlbacher, F. The use of qualitative content analysis in case study research. Forum Qual. Sozialforschung/Forum Qual. Soc. Res. 2006, 7, 21. [Google Scholar]
  72. Song, L.K.; Tao, F.; Peng, G.Z. Mixed loss-guided modular regression for dependent system reliability. Reliab. Eng. Syst. Saf. 2025, 267, 111898. [Google Scholar] [CrossRef]
Sustainability 18 02278 g001
Figure 1. Practical multiple study design.
Figure 1. Practical multiple study design.
Sustainability 18 02278 g001
Sustainability 18 02278 g002
Figure 2. Research framework: Methodologies and research constructs used in the empirical research. C = research construct.
Figure 2. Research framework: Methodologies and research constructs used in the empirical research. C = research construct.
Sustainability 18 02278 g002
Sustainability 18 02278 g003
Figure 3. Overall results of corporate disclosures.
Figure 3. Overall results of corporate disclosures.
Sustainability 18 02278 g003
Sustainability 18 02278 g004
Figure 4. Percentage of total predefined disclosure items (100%) reported by companies within each sector.
Figure 4. Percentage of total predefined disclosure items (100%) reported by companies within each sector.
Sustainability 18 02278 g004
Sustainability 18 02278 g005
Figure 5. Overall results of corporate disclosures by country.
Figure 5. Overall results of corporate disclosures by country.
Sustainability 18 02278 g005
Table 1. Key overlaps among CSRD/ESRS, GRI, SASB, and ISSB.
Table 1. Key overlaps among CSRD/ESRS, GRI, SASB, and ISSB.
Core Overlap DimensionCSRD/ESRSGRI StandardsSASB StandardsISSB (IFRS S1/S2)
ESG scope ComprehensiveComprehensiveSelective, industry-specificSelective, investor-focused
Materiality as a filterDouble materialityImpact materialityFinancial materialityFinancial materiality
Integration with strategyExplicit (business model, value chain)ExplicitExplicitExplicit
Governance and oversightMandatory governance disclosuresRequiredRequiredRequired
Risk- and opportunity-based logicIRO frameworkImpact and risk orientationFinancial risk orientationFinancial risk and opportunity focus
Metrics and targetsStandardised datapointsFramework-based metricsIndustry-specific metricsGlobal baseline metrics
Climate disclosures (TCFD-aligned)YesYesYesYes (IFRS S2)
Comparability objectiveHigh (regulatory mandate)Medium–highHigh within industriesHigh across capital markets
Table 2. Treatment of digital and AI-related risks in selected reporting frameworks.
Table 2. Treatment of digital and AI-related risks in selected reporting frameworks.
DimensionCSRD/ESRSGRI StandardsSASB StandardsISSB (IFRS S1/S2)
Standalone AI standardNoNoNoNo
Approach to AI-related risksIndirect integration within sustainability risks, impacts, and governanceIndirect integration through thematic standardsIndirect, industry-specific integrationIndirect integration through financially material risks
Materiality conceptDouble materialityImpact materialityFinancial materialityFinancial materiality
Primary reporting audienceMulti-stakeholderMulti-stakeholderInvestorsInvestors
Main disclosure areas where AI risks may ariseData governance, privacy, fundamental rights, cybersecurity, governancePrivacy, labour practices, governanceCybersecurity, IT systems reliabilityRisks to enterprise value
Link to governance disclosuresExplicitly requiredImplicitLimitedExplicit, financially oriented
Comparability of disclosuresHigh (mandatory, standardised framework)MediumHigh within industriesHigh
Regulatory natureMandatory (EU)VoluntaryVoluntaryVoluntary
Table 3. Predesigned table of contents for analysing digital risk disclosures in sustainability and annual reports of European companies in accordance with CSRD and ESRS.
Table 3. Predesigned table of contents for analysing digital risk disclosures in sustainability and annual reports of European companies in accordance with CSRD and ESRS.
1. Does the company explicitly disclose AI-related risks in its annual or sustainability report?
YES: NO:
2. Does the company explicitly disclose risks related to the following digital domains:
-
Artificial intelligence (AI)  YES: NO:
-
Data governance and data protection  YES: NO:
-
Cybersecurity  YES: NO:
3. Does the company describe how AI- or digitalisation-related risks are addressed and managed?
YES: NO:
4. Does the company disclose any formal policies related to AI or digital risks?
YES: NO:
5. Are AI- or digitalisation-related risks explicitly included in the company’s risk management system or materiality assessment?
YES: NO:
6. Does the company disclose any key performance indicators (KPIs) related to AI or digital risks?
YES: NO:
7. Are AI- or digitalisation-related risks explicitly linked to the company’s sustainability strategy or business model?
YES: NO:
8. Does the company explicitly link AI or digitalisation risks to human rights concerns?
YES: NO:
Source: the researcher.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Primec, A.; Belak, J.; Čufar, M. Artificial Intelligence as an Emerging Risk Dimension in Corporate Sustainability Reporting: A Legal and Governance Perspective. Sustainability 2026, 18, 2278. https://doi.org/10.3390/su18052278

AMA Style

Primec A, Belak J, Čufar M. Artificial Intelligence as an Emerging Risk Dimension in Corporate Sustainability Reporting: A Legal and Governance Perspective. Sustainability. 2026; 18(5):2278. https://doi.org/10.3390/su18052278

Chicago/Turabian Style

Primec, Andreja, Jernej Belak, and Matic Čufar. 2026. "Artificial Intelligence as an Emerging Risk Dimension in Corporate Sustainability Reporting: A Legal and Governance Perspective" Sustainability 18, no. 5: 2278. https://doi.org/10.3390/su18052278

APA Style

Primec, A., Belak, J., & Čufar, M. (2026). Artificial Intelligence as an Emerging Risk Dimension in Corporate Sustainability Reporting: A Legal and Governance Perspective. Sustainability, 18(5), 2278. https://doi.org/10.3390/su18052278

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop