Europe’s corporate reporting rules now sit in the middle of a strategic contest rather than a technical conversation among accountants and lawyers. Balance sheets and sustainability reports decide who provides capital on what terms, who is trusted to manage critical infrastructure, and who is allowed to enforce sanctions or run supply chains that touch sensitive technologies. In a world where the EU wants to finance a vast energy transition, rearm after Russia’s invasion of Ukraine and compete in digital technologies, the way it organises corporate reporting and internal controls is becoming part of its power base, not a side condition.
The European debate often revolves around disclosure templates, page counts and the scope of the Corporate Sustainability Reporting Directive. Those questions matter, especially now that Brussels and the European Parliament are paring back and delaying parts of the sustainability rulebook in response to a backlash from industry and several governments. Proposals on the table would sharply reduce the number of companies covered by detailed sustainability reporting and postpone due diligence obligations along supply chains, cutting the number of in scope firms from around 45,000 to roughly 10,000 by raising size thresholds and postponing the application of new rules. This is already reshaping incentives, with some mid sized firms pausing sustainability programmes and others choosing to continue voluntarily because they see disclosure as a source of long term advantage and access to global customers.
Yet the real strategic fault line is not only about what must be disclosed. It is about how much trust outside investors, supervisors and partners can place in the internal systems that produce those numbers. The United States has spent two decades building a regime in which listed companies must assess the effectiveness of internal controls over financial reporting and, for larger filers, submit that assessment to audit by an independent external auditor under section 404 of the Sarbanes Oxley Act. Italy, in the wake of domestic scandals, introduced its own model through Law 262 of 2005 that requires a designated manager to certify the adequacy and effective operation of internal controls over financial reporting, backed by board level responsibility and supervisory scrutiny. The regimes differ in detail and they are not universally loved by companies. What they do provide is a clear baseline and vocabulary for discussing control quality, which global investors have learnt to interpret.
By contrast, the EU as a bloc still presents a fragmented landscape. Some member states have moved closer to the US style model, others rely on softer governance codes and brief boilerplate statements about internal control effectiveness in management reports. EU law requires audit committees for public interest entities and asks them to monitor the effectiveness of internal control and risk management systems, but it stops short of requiring a structured, standardised management statement on control quality or an explicit mapping to recognised control concepts. The result is that investors receive very different levels of insight into how similar looking companies across the Union actually manage financial and sustainability risks. Sophisticated capital markets participants price that opacity. The discount may not be visible in a single transaction, but over time it raises the cost of equity and debt for firms that rely on EU venues and pushes some large issuers to consider London or New York when they want to raise serious money.
This has a direct bearing on Europe’s ambition to build a Capital Markets Union and elevate the international role of the euro. In sectors that policymakers label strategic, such as clean technology, advanced manufacturing, semiconductors, defence and digital infrastructure, the listing venue is not only a financial choice. It decides which regulators set the terms of disclosure and enforcement, which courts arbitrate disputes and which political system gains leverage over key firms in a crisis. If capital markets that apply Sarbanes Oxley style control reporting or long established UK governance codes are seen as higher trust environments for global investors, the EU risks watching some of its most important companies drift away just as it calls for more “open strategic autonomy”.
Internal control regimes also matter for Europe’s credibility as a sanctions and security actor. Since 2022, EU based companies have been asked to implement successive waves of restrictions on Russia, tighter export controls for dual use goods and more scrutiny of transactions linked to Iran and North Korea. In practice, this work is done through internal policies, know your customer checks, transaction monitoring and compliance systems in thousands of firms. If these systems are weak, under resourced or poorly overseen by boards and audit committees, breaches are more likely to slip through or be handled informally. That exposes the Union to reputational damage vis à vis partners such as the United States, the United Kingdom and Japan, which expect credible enforcement from European counterparts when they coordinate sanctions packages.
Sustainability reporting adds another layer to this strategic picture. The CSRD and the new European Sustainability Reporting Standards ask companies to report on climate risks, environmental impacts, human rights issues and supply chain due diligence in a way that goes far beyond traditional financial notes. The Commission is now simplifying that regime for some firms and delaying its extension to others, and it has been asked to produce a specific limited assurance standard for sustainability disclosures by 2026. This is politically understandable. What has not yet been addressed is the link between those disclosures and internal controls. If climate metrics, taxonomy alignment figures and human rights statements rest on controls that are weaker than those for financial reporting, companies will face growing accusations of greenwashing and human rights whitewashing, and European policymakers will discover that their most ambitious reporting project has created expectations they cannot meet.
Treating internal control as strategic infrastructure suggests several changes of direction. First, the EU could adopt a short, focused, mandatory management statement on internal control over financial and material non financial reporting for all listed companies, scaled to size. Such a statement would not dictate a single architecture. Instead it would require management and the board to explain which control concepts they use, which parts of the business are in scope, how they test controls, what period the assessment covers and whether any material weaknesses were identified, along with the remediation actions taken. The language could draw on recognised control vocabularies such as COSO or the internal control guidance linked to Italian Law 262 and other national models, without imposing any one of them.
The act of writing such a statement and exposing it to investors would already sharpen incentives inside firms. Executives would have to decide whether they really believe their systems are effective, and audit committees would have a concrete document against which to push back. Over time, as markets became familiar with these statements, some companies would treat them as an opportunity to differentiate themselves. Others might be nudged by supervisors to strengthen weak spots. The EU could then explore calibrated external assurance for larger issuers or for companies operating in sectors where control failure would have systemic or security implications, without copying the full cost profile of the original US Sarbanes Oxley model.
Audit committees sit at the centre of this shift. European rules already give them responsibility for monitoring internal controls, risk management systems and the statutory audit. In practice their effectiveness varies widely. Some committees are composed of seasoned non executives with deep financial and sectoral experience who devote significant time to their role, use private sessions with internal and external auditors to explore uncomfortable issues and insist on seeing direct evidence of control testing. Others are filled in a more perfunctory way, lack members who really understand complex IT systems or sustainability metrics and treat internal control as a narrow compliance item. Recent guidance from professional bodies underlines that high performing audit committees now need to understand cyber risks, data governance and changing reporting expectations, not only accounting standards.
The EU could raise the floor here without rewriting national company laws. It could tighten minimum criteria for audit committee independence and financial literacy, ask listed companies to publish a skills and experience matrix for committee members and require a brief narrative on how the committee has dealt with internal control issues during the year, including sustainability related controls. Supervisors could be encouraged to focus more of their thematic reviews on audit committee performance and on the interaction between committees, internal audit functions and external auditors. Exchanges and professional institutes could be mobilised to expand the pool of candidates, particularly in smaller member states where the supply of independent experts is limited and many individuals sit on multiple boards at once.
Digitalisation changes the cost structure of internal controls and should become a central part of Europe’s strategic view. Companies across the Union are investing in enterprise resource planning systems, workflow tools, real time dashboards and data lakes that capture an ever larger share of their operations. If these systems are designed with control in mind, with clear segregation of duties, robust access rights, reliable audit trails and automated reconciliations, the marginal cost of meeting higher reporting standards falls. The EU’s push for machine readable financial and sustainability reports could be deliberately aligned with this effort so that structured data is not only a regulatory output but a byproduct of well controlled processes. Supervisors and standard setters can help by recognising digital evidence such as logs and exception reports as valid inputs into control assessments and by encouraging the development of tools for continuous monitoring and risk based auditing.
The strategic dimension becomes even clearer when Europe looks at the firms and jurisdictions it interacts with. The EU is increasingly in joint ventures and supply chain relationships with state influenced companies from China and, to a lesser extent, from other authoritarian systems. These firms participate in European projects in areas such as ports, energy infrastructure and transport, and they often have their own listing and governance regimes that are less transparent than those of the EU, the US or the UK. Without a clear internal control baseline of its own, the Union has limited leverage to insist on minimum control standards in such partnerships. A more explicit EU control benchmark would give regulators and investors a reference point when assessing whether to allow certain actors into critical infrastructure or when attaching conditions to their participation.
Looking ahead to the early 2030s, the strategic consequences of today’s choices are stark. In a low ambition scenario, the EU continues to argue over the scope and timing of sustainability disclosures while leaving internal control obligations largely where they are. National practices remain uneven, audit committees in many firms are underpowered, and supervisors focus more on formal compliance than on the substance of control systems. A series of scandals linked to control failures in high profile companies, perhaps in sectors tied to the green transition or defence, reinforces the perception that EU markets come with governance risk. Global investors maintain a discount for European equities, some flagship firms choose to list or raise secondary capital elsewhere, and the euro’s role as a preferred funding currency for long term infrastructure remains constrained.
In a more ambitious scenario, finance ministries, securities regulators and parliaments treat internal control as part of Europe’s response to a more dangerous world rather than as a narrow compliance topic. They agree on a concise and proportionate internal control statement, set clear expectations for audit committee capability, and use digitalisation to keep costs manageable. Over several years, this helps to rebuild trust in EU venues at a time when investors are searching for credible green and security linked assets. The Union is better able to convince partners in Africa, Asia and Latin America that its companies can be trusted on human rights and environmental standards because their disclosures are anchored in robust internal processes. It also becomes a more attractive place to list and to issue debt for firms that want to align with stricter but reliable governance regimes.
The choice between these paths will not be made in a single negotiation in Brussels. It will take shape in budget discussions on whether supervisors have the resources to review internal controls properly, in debates in national parliaments on transposing directives and in boardrooms where executives and directors decide whether to treat governance and control as a cost or as a core part of their licence to operate. What is already clear is that corporate reporting and internal control have moved into the realm of strategic competition. The reliability of a French, German or Italian group’s numbers affects not only domestic savers but the credibility of EU sanctions, the stability of joint climate projects and the appetite of sovereign funds in Asia or the Middle East to hold euro assets.
If the Union wants to be taken seriously as a strategic actor in this landscape, it needs to align its corporate reporting architecture with its broader aims. That means lifting internal control out of the shadows of technical debates and treating it as one of the quiet arenas in which Europe’s economic and political power will either consolidate or erode. The paper rules are largely in place. The question is whether the Union is willing to put real governance substance behind them.
