A company can flood-proof every building it owns and still be exposed. The single-source supplier whose plant sits on a river delta, the contract manufacturer in a drought-stressed basin, the port that handles most of your inbound freight: none of those is on your balance sheet, and all of them can stop your revenue. Under the European Sustainability Reporting Standards (ESRS, the EU’s mandatory sustainability rulebook under the Corporate Sustainability Reporting Directive, CSRD), physical climate risk does not stop at your property line. The standard pushes the question out into the value chain, and that is where most first-year reporters came up short.
- Physical climate risk does not stop at your property line. ESRS E1 pushes the question into the upstream and downstream value chain (ESRS 1 paragraph 63).
- The common failure is stopping at tier 1. Exposure concentrates deeper, in fixed geographies like a single mine, crop region or component plant. Focus where it concentrates, at any tier.
- Missing supplier data is not a way out. Where you cannot collect it, you estimate with proxies and sector data (ESRS 1 paragraph 69); a coordinate and a hazard model still give a defensible exposure estimate.
- The dedicated value-chain grace period in the 2023 standard is not carried into the November 2025 amended draft. It is still in force today, but later cycles fold into the ordinary regime.
ESRS E1 makes you report value-chain physical risk, not act on it
ESRS E1 is the climate standard. This piece is about one slice of it: the physical hazards that reach a company through its value chain, the floods, heat, drought, storms and water stress that hit suppliers, logistics and downstream markets. It is the disclosure question: what does ESRS E1 require you to assess and report about physical risk beyond your own gates.
It is not a guide to the separate Corporate Sustainability Due Diligence Directive (CSDDD), which is about acting on your supply chain rather than reporting on it, and it is not a comparison of the two regimes. Those are covered elsewhere. The transition side of the value chain (carbon pricing on suppliers, policy and technology shifts), supplier emissions accounting, and social or human-rights due diligence all sit outside this scope.
ESRS draws the line past your own operations
The reporting boundary is explicit. ESRS 1 (the general-requirements standard) paragraph 63 extends the statement beyond the reporting company itself:
“The information about the reporting undertaking provided in the sustainability statement shall be extended to include information on the material impacts, risks and opportunities connected with the undertaking through its direct and indirect business relationships in the upstream and/or downstream value chain (‘value chain information’).”
In plain terms: if a material risk reaches you through a supplier or a customer, it belongs in the statement, not just the risks inside your own walls.
Two further hooks make this concrete for physical risk. First, the strategy disclosure (ESRS 2, disclosure requirement SBM-3, paragraph 48(a)) asks for “a description of where in its business model, its own operations and its upstream and downstream value chain these material impacts, risks and opportunities are concentrated.” You have to say where the risk sits. Second, ESRS E1 itself requires the identification process to cover the chain. In the binding 2023 standard, that lives in E1’s own risk-identification disclosure (DR IRO-1, paragraph 20):
“climate-related physical risks in own operations and along the upstream and downstream value chain, in particular: i. the identification of climate-related hazards …; and ii. the assessment of how its assets and business activities may be exposed and are sensitive to these climate-related hazards, creating gross physical risks for the undertaking.”
In plain terms: identify the hazards and test how exposed your assets and activities are, upstream and downstream, not only on your own sites. The November 2025 amended draft keeps this word for word but moves it into a new, dedicated disclosure requirement, DR E1-2 (paragraph 15). The obligation is the same; the address changes.
Most assessments stop at tier 1, where physical risk doesn’t
Here is the gap between the rule and the practice. When the EU markets supervisor, the European Securities and Markets Authority (ESMA), reviewed first-year ESRS reporters, assurance providers flagged a recurring limit. In several cases the auditor drew an emphasis of matter on “the limitation of the materiality assessment in the supply chain to tier 1.”
In plain terms: companies assessed their direct suppliers and stopped. But physical risk does not respect tiers. The flood exposure of a single mine, a single crop region, or a single component plant three steps upstream can be far more concentrated than anything among your direct contracts. A tier-1 view is often a view of the wrong layer.
Two forces push the exposure deeper. Raw materials and agriculture are tied to fixed geographies: a mine, a growing region, an aquifer, none of which can be relocated when a hazard intensifies. And the further upstream you look, the more an entire industry can narrow to a handful of sites, so one flood or one drought can reach many companies at once through a shared sub-supplier they each thought was someone else’s problem. A direct supplier can look healthy while sitting on a single exposed source two tiers above it.
ESRS does not ask you to map every actor in the chain, which would be unworkable. The EFRAG guidance on the value chain (Implementation Guidance IG-2, where EFRAG is the body that drafts the standards) tells you to focus where risk concentrates: the assessment should cover the chain “with a focus on where (geographies, activities/sectors, operations, suppliers, customers, other relationships, etc.) … they are likely to materialise.” For physical risk that focus is geographic. The question is not “who are my suppliers” but “which locations in my chain sit in a hazard zone, at any tier.”
Where physical risk actually sits in a supply chain
Three places, mostly. Upstream: supplier and sub-supplier sites, especially single-source or hard-to-substitute ones in exposed geographies. Logistics: ports, road and rail corridors, and distribution hubs that funnel a large share of volume through a few pinch points. Downstream: markets and customers whose own exposure can cut demand.
The common thread is concentration. A chain can look diversified on a supplier count and still depend on one flood-prone valley for a critical input. The useful output of an assessment is therefore not a longer supplier list but a ranked one: which locations carry the exposure, under which hazards, over which time horizon, and how much of your input or revenue runs through them. That ranking is what turns a screen into a decision, whether to hold a buffer, qualify a second source, or move a site.
The same supplier-location map a company builds for due diligence under the CSDDD (which covers the “chain of activities” of upstream and downstream business partners) is the starting point for the physical-risk screen. One map, two uses.
| Where in the chain | What concentrates the risk | Example |
|---|---|---|
| Upstream (supplier and sub-supplier sites) | Single-source or hard-to-substitute sites in fixed, exposed geographies that cannot be relocated | A flood-prone valley supplying a critical input |
| Logistics (ports, corridors, hubs) | A few pinch points funnel a large share of volume | A port handling most inbound freight |
| Downstream (markets and customers) | Customer exposure that cuts demand | A key market hit by repeated heat or flooding |
Missing supplier data is not a way out
The obvious objection is data: you do not control your suppliers’ records and cannot measure every site. ESRS anticipates this and does not accept it as a reason to disclose nothing. ESRS 1 paragraph 69 sets the expectation:
“There are circumstances where the undertaking cannot collect the information about its upstream and downstream value chain … after making reasonable efforts to do so. In these circumstances, the undertaking shall estimate the information … by using all reasonable and supportable information, such as sector-average data and other proxies.”
In plain terms: where you cannot get primary data, you estimate with proxies and sector data, you do not leave a blank. IG-2 puts the same point more bluntly: “‘Reasonable effort’ cannot be an excuse for not disclosing.” Physical risk is, in one respect, easier here than most value-chain topics: you do not need a supplier to send you data to know that its location floods. A coordinate and a hazard model get you a defensible exposure estimate even from a supplier that shares nothing.
The value-chain grace period is being withdrawn
There is a reason some reporters have gone light on the value chain so far, and it has an expiry date. The binding 2023 standard gives a dedicated transitional relief: for the first three years, a company “may limit upstream and downstream value chain information to information available in-house,” and for metrics “is not required to include upstream and downstream value chain information” beyond datapoints required by other EU law (ESRS 1 paragraphs 132 and 133).
That dedicated value-chain relief is not carried into the November 2025 amended draft. The amended standard’s transitional chapter keeps only the reliefs for comparative information and for phased-in disclosure requirements; the value-chain carve-out is gone, and value-chain information folds into the ordinary estimate-where-you-must regime that applies from the first year. The relief is still in force today for companies inside their first three years. But a reporter preparing for the later cycles should not build a plan around a grace period the amended draft removes.
It feeds the net-revenue-at-risk number
The value-chain question is not academic; it flows into a figure on the page. Both versions of the financial-effects disclosure ask for the revenue exposed to physical risk: the binding 2023 standard (E1-9, paragraph 66(d)) and the amended draft (E1-11, paragraph 38(c)) each require “the monetary amount … of net revenue from its business activities at material physical risk.”
A precise reading matters here. The financial-effects datapoints are framed around the undertaking’s own position: the monetary amount of assets at risk, the location of significant assets, and net revenue from its business activities. They do not carry an explicit “value chain” line. Value-chain exposure enters earlier, through the boundary in ESRS 1 paragraph 63 and the identification requirement, and then informs the figure rather than appearing as a separate number. So the honest framing is this: the standard does not ask for a stand-alone value-chain revenue figure, but a company whose revenue depends on exposed suppliers or logistics cannot arrive at a defensible net-revenue-at-risk number without screening that chain. The companion piece on the financial-effects disclosure walks the figure itself.
| Requirement | Binding 2023 standard | November 2025 amended draft |
|---|---|---|
| Identify physical risk across the chain | ESRS E1 DR IRO-1, paragraph 20 | Relocated to DR E1-2, paragraph 15 (same substance) |
| Dedicated value-chain relief | Three-year carve-out (ESRS 1 paragraphs 132 and 133) | Dropped; folds into the ordinary estimate-where-you-must regime |
| Net revenue at material physical risk | E1-9, paragraph 66(d) | E1-11, paragraph 38(c) (in both versions) |
Screening a supplier portfolio, and the limit worth naming
A value-chain physical-risk assessment is a portfolio problem: many locations, screened the same way, compared and ranked. This is where the Continuuiti platform fits. It takes a list of addresses (up to 5,000 in a batch), geocodes them, and returns a physical-risk profile per site across twelve hazards, under a middle and a high-emissions scenario, over a historical baseline and 2030, 2040 and 2050. Address list in, risk profile out, for the whole supplier set in one workflow.
That portfolio view is also, directly, the answer to a disclosure the standard already asks for. SBM-3 wants you to describe where in your value chain the material risks are concentrated; a ranked screen of supplier and logistics locations by hazard and time horizon is that description, in evidence rather than assertion. The same output supports the operational decisions, prioritising sites for engagement, diversification or contingency, that sit underneath the reported number.
The boundary is worth naming plainly, because it bites harder in the supply chain than anywhere else. The main loss mechanism upstream is business interruption: a supplier floods, your line stops, and your revenue falls even though your own building stayed dry. We screen exposure across the chain and convert flood hazard into a monetary damage estimate using published depth-damage curves. We do not yet price business interruption, and we do not yet put a monetary damage figure on wind, wildfire or drought, which are screened as exposure but not costed. So the division of labour is the same as elsewhere: we supply the asset-level exposure across your chain; your team maps it onto revenue dependency and the carrying amounts the disclosure asks for.
Where to go next
- Is the risk material in the first place: double materiality for physical climate risk.
- The identification methodology behind the exposure screen: ESRS E1 physical-risk identification.
- The figure the value-chain exposure feeds: the anticipated-financial-effects disclosure (E1-9 in the 2023 issuance, E1-11 in the November 2025 amended draft).
- The ESRS E1 overview hub.
- Neighbouring directives: the CSDDD requirements guide and the CSRD versus CSDDD comparison.
Frequently asked questions
Does ESRS E1 require disclosing physical climate risk in the value chain?
Yes. ESRS 1 paragraph 63 extends the sustainability statement to material risks that reach the company through its upstream and downstream business relationships, and ESRS E1’s identification requirement explicitly covers own operations and the value chain. A material risk that reaches you through a supplier or a customer belongs in the statement, not just the risks inside your own walls.
Do I have to assess physical risk beyond tier-1 suppliers?
ESRS asks you to focus where risk concentrates by geography and activity, at any tier, not to map every actor. Assurance providers flagged tier-1-only assessment as a limitation in first-year reporting. Raw materials and agriculture sit in fixed geographies, so the real exposure often hides two or three tiers upstream of your direct contracts.
What if I cannot get supplier data?
You estimate. ESRS 1 paragraph 69 expects proxies and sector-average data where reasonable effort cannot collect primary information, and the EFRAG guidance is blunt that reasonable effort cannot be an excuse for not disclosing. For physical risk this is easier than most topics: a coordinate and a hazard model give a defensible exposure estimate even from a supplier that shares nothing.
Is the value-chain reporting relief going away?
The dedicated three-year value-chain relief in the binding 2023 standard (ESRS 1 paragraphs 132 and 133) is not carried into the November 2025 amended draft. It is still in force today for companies inside their first three years, but a reporter preparing for later cycles should not build a plan around a grace period the amended draft removes.
Sources
- Commission Delegated Regulation (EU) 2023/2772, Annex I: ESRS 1 General Requirements (paragraphs 63, 69, 132, 133) and ESRS 2 General Disclosures (SBM-3, paragraph 48(a)). ESRS E1: DR IRO-1 (paragraph 20) and DR E1-9 (paragraph 66). 2023 issuance, in force.
- EFRAG, ESRS amendments November 2025 exposure draft: ESRS E1 (DR E1-2, paragraph 15; DR E1-11, paragraph 38) and amended ESRS 1 transitional provisions. Not yet adopted.
- EFRAG Implementation Guidance IG-2 Value Chain (key points on value-chain mapping and reasonable-effort estimation; FAQ 9).
- ESMA, “Materiality matters (!): Results of a fact-finding exercise on 2024 corporate reporting practices under ESRS Set 1” (ESMA32-846262651-5288, 14 October 2025).
- Directive (EU) 2024/1760 (Corporate Sustainability Due Diligence Directive), recital 25.
- Continuuiti methodology documentation, continuuiti.com/methodology.
