Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library ESRS ESRS S4 S4-3
ESRS S4: Consumers and End-users · 2026-5010-final
Disclosure Requirement S4-3

Actions & Resources

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official EFRAG source.

Dr Ross Kurinko, Sustainability Reporting Trainer
Reviewed by Dr Ross Kurinko · Sustainability Reporting Trainer LRA educational guidance · Not issued or endorsed by EFRAG
To prepare this disclosure
Disclosure focus

This disclosure asks an organisation to explain the actions it is taking, and the resources it is putting behind them, to address material impacts, risks and opportunities connected with affected communities. In practice, that means describing what is being done, how far those actions have progressed, and what support is being committed, rather than only stating broad intentions or policies.

The practical focus is on whether the response is real, targeted and sufficiently broad in scope. Reporters should make clear if actions cover the whole business, specific sites, projects or geographies, and whether resources are matched to where the impacts actually arise. The aim is to show how the organisation is responding in a way that is proportionate to the issue, not just highlighting a few flagship initiatives.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official EFRAG source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
Implemented actions A plain summary of the steps the organisation has put in place during the reporting period to address the issue named in the clause. Action plans, project updates, remediation logs, approval notes, and closure records. Sustainability / risk / relevant business lead
Safety controls in place The measures currently used to reduce product-related harm, including controls, checks, and any changes made in the period. Product safety procedures, test results, incident follow-up records, quality assurance logs, and recall or correction files. Product safety / quality / operations
Privacy controls in place The practical steps used to protect personal data, including technical, organisational, and process measures applied in the period. Data protection policies, access control records, security settings, training logs, breach response procedures, and audit findings. Data protection / IT security / legal
Marketing safeguards The actions taken to keep marketing activity within responsible boundaries, including review, approval, and correction steps. Marketing review checklists, approval workflows, campaign sign-off records, complaint logs, and takedown or correction evidence. Marketing / compliance / legal
Impact category The kind of issue being reported, using the organisation’s chosen classification for the relevant harm area such as privacy, safety, or misleading information. Incident taxonomy, case coding guidance, issue logs, and classification rules used by the reporting team. Risk / compliance / incident management
Response actions The steps taken after the issue was identified, including containment, correction, escalation, and follow-up work. Incident response records, corrective action plans, case notes, escalation emails, and closure evidence. Incident management / risk / relevant business lead
Balancing choices Any judgement calls made where one objective had to be weighed against another, and the reason the chosen balance was accepted. Decision papers, risk acceptance notes, committee minutes, sign-off records, and trade-off assessments. Senior management / risk / legal
Key measures The main metrics used to track the issue or response, with the exact metric names and values used internally. Management dashboards, KPI packs, scorecards, and metric definitions. Performance management / finance / relevant function
Tracking measures The indicators used to follow progress over time, including what is measured and how each indicator is defined. Monitoring framework, indicator catalogue, reporting templates, and data dictionary. Risk / sustainability reporting / analytics
Review cadence How often the organisation checks or updates the measures, including the actual review cycle used in practice. Reporting calendar, meeting schedules, dashboard refresh settings, and governance pack dates. Reporting / risk / analytics
Incident count The total number of incidents recorded for the period, counted once each according to the reporting definition. Incident register, case management system extract, and period-end reconciliation to the source log. Incident management / risk / compliance
Incident type A short description of what kind of incident it was, using the organisation’s incident categories for privacy or safety events. Case classification rules, incident log entries, investigation notes, and root-cause summaries. Incident management / compliance / legal
Incident seriousness The level of seriousness assigned to the incident, based on the organisation’s own severity scale and assessment criteria. Severity matrix, triage notes, incident review records, and escalation thresholds. Incident management / risk / compliance
+ Show S4-3 sub-elements (LRA working checklist)

How to prepare it

1Set the reporting boundary first. Decide which products, services, channels and customer-facing activities sit inside the scope for this disclosure, then use that same scope consistently across the whole response.
2Translate the required topics into your own internal categories. Separate the actions already in place for product safety, data protection and responsible marketing, and distinguish them from the impact description, the actions taken in response, and any trade-off you had to manage.
3Gather the underlying records before drafting. Pull together incident logs, issue trackers, control reports, monitoring outputs, KPI dashboards and any other source material that supports the narrative and the figures.
4Compile the disclosure in the order the data needs it. Provide the action descriptions, then the impact type, response actions and trade-offs, followed by the KPIs, performance measures and how often they are checked; include the incident count, incident type and severity where relevant.
5Explain any gaps, exclusions or changes in method. If something is left out, treated differently or measured in a new way, note that clearly so the reader can understand what is included and how the numbers or narrative were built.
6Do a final source check against the official ESRS text. Confirm that each required item is covered, the wording still matches the underlying requirement in substance, and nothing material has been missed or added.
Request the data

Request the actions, controls and incident log from the relevant owners

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

What actions, controls, monitoring and incident details do we need to describe how the business manages customer-facing impacts and related risks in the reporting period?

Use your organisation’s own names first, then map them to the reporting categories. For example, ask for the product safety, privacy, content, customer trust, complaints, incident or control logs that your teams already use, rather than using framework labels in the request.

Weak request

Please provide the ESRS S4 actions and resources evidence for the disclosure, including the actions implemented, product safety measures, data protection measures, responsible marketing actions, impact type, actions taken, trade-offs, KPIs, performance indicators, monitoring frequency, number of incidents, type and severity.

Why it fails: This uses framework language that many teams do not use day to day, so the owner may not know which records to pull. It also bundles too many labels without saying which internal logs, systems or teams hold the evidence. That makes it harder to respond quickly and increases the risk of incomplete or inconsistent data.

Better request

Please send the latest logs, trackers or dashboards your team uses for product safety, privacy, content, customer trust and related incidents for [period]. Include the actions taken, controls in place, what you monitor, how often you review it, and any incidents with type and severity. If there were decisions where one priority had to be balanced against another, note that too. Use your own team wording first, and we will map it for the reporting pack.

Formal email template
Subject: Request for customer-facing controls, actions and incident details for [reporting period]\n\nHi [name/team],\n\nWe are preparing the sustainability reporting pack and need a short evidence set from your area for [reporting period]. Please send the information your team already holds on the controls, actions, monitoring and incidents linked to [your internal terms: e.g. product safety / privacy / content / customer trust / complaints].\n\nPlease include:\n- the main actions taken during the period\n- the controls or checks in place\n- any monitoring or performance measures you track\n- any incidents, issues or breaches logged in the period, with type and severity\n- any trade-offs or decisions made where two priorities had to be balanced\n- the source system, owner and date of the extract\n\nPlease use your own internal wording first, then we will map it to the reporting categories. If helpful, send a table or export and we will format it. Please check the source material before sign-off.\n\nThanks,\n[preparer name]
Short Teams / Slack version
Hi [name] — could you send the latest [your internal terms: product safety / privacy / content / customer trust] actions, controls, monitoring and incident log for [period]? Please include the source, owner, dates, and any key trade-offs. We’ll map your wording to the reporting pack. Thanks.
Industry examples
Consumer electronics

Context. A business sells connected devices and apps, so the evidence sits across product safety, privacy, customer support and marketing compliance teams.

Adapted request. Please share the device safety actions, app privacy controls, customer issue tracker and any incidents logged for [period]. Include the checks used before launch, the monitoring cadence, and any cases where a feature or campaign was changed because of safety or privacy concerns.

Example response. The owner returns a table with launch checks, privacy review dates, complaint counts, incident types, severity ratings, monthly monitoring notes and links to the product risk register and issue tracker.

Online retail / marketplace

Context. A business runs a digital marketplace, so the evidence is likely held by trust & safety, fraud, marketing and data protection teams.

Adapted request. Please send the marketplace moderation actions, customer data handling controls, ad review checks and incident log for [period]. Include the main issues found, what was done, how often the team reviews the dashboard, and any trade-offs between conversion and customer protection.

Example response. The owner provides an export from the moderation tool, a privacy control checklist, a monthly performance dashboard and a short note on one campaign that was paused after a customer complaint spike.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Describe the basis used to group the data, including how issue categories, response actions, performance measures and incident seriousness were defined and counted.

Context note

Explain what the figures show in practice: the kinds of issues being managed, the actions taken to address them, the indicators used to track delivery, and the scale and seriousness of recorded incidents.

Fluctuation statement

If any figures moved materially, explain the operational reason for the change, such as a shift in the mix of issues, a change in monitoring approach, or a different level of response activity.

Content index entry
S4-3 Actions & Resources — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for S4-3 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Go deeper · S4-3
Learn to prepare this disclosure end-to-end

This guide covers one Disclosure Requirement. The ESRS / CSRD Reporting course walks the full European workflow — double materiality, datapoints, evidence and assurance — with exercises on your own data.

Available as Guided Flex, Live Cohort, 1:1 Expert Mentorship or Corporate Programme.

Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
We checked that the coverage figure was built from the right population and period, and that any exclusions or estimates were applied consistently and explained in our working papers.An assurer may test whether the figure is complete, whether the chosen boundary leaves out relevant cases, and whether any judgement calls were made to make the result look better or easier to report.Boundary memo; source population list; inclusion/exclusion log; calculation workbook; estimate methodology; sign-off notes showing the period covered and any exceptions.
We used the disclosed operations and groups that were actually relevant to the topic, and we documented why any sites, products, channels or customer groups were left out of the count.The assurer may probe whether the scope was narrowed without a sound basis, or whether the reported set is not aligned with the underlying issue being described.Scope-setting paper; mapping of operations/products/channels to the topic; rationale for omissions; management review notes; version history of the draft disclosure.
We relied on data that had been checked against source records, and we kept evidence showing how we dealt with missing, late or inconsistent inputs before finalising the figure.The assurer may question whether the underlying data are reliable, whether gaps were filled in a controlled way, and whether the final number could be reproduced from the source files.Source extracts; reconciliation sheets; data quality checks; exception log; emails or tickets resolving anomalies; audit trail from source to reported figure.
Before publication, we carried out internal checks on the draft wording and numbers, including a review for internal consistency, obvious errors and alignment with the supporting files.The assurer may look for weak review controls, mismatches between narrative and numbers, or signs that the published disclosure was not checked against the evidence pack.Pre-publication review checklist; approval workflow; redline drafts; consistency checks; evidence pack index; final sign-off from the responsible owner.
Where we refer to actions, we kept records showing what was done, what resources were used, and how we tracked progress so we could explain the basis for the statement in the disclosure.The assurer may test whether the action description is backed by contemporaneous records, whether resource use is real rather than aspirational, and whether progress claims are supported by monitoring evidence.Project plans; budgets or resource allocations; progress reports; KPI dashboards; meeting minutes; implementation evidence such as training logs, process changes or remediation records.

Evidence pack to prepare

Common reporting gaps

Figures are stated without the supporting narrative, or narrative without figures.Scope is inconsistent between the text and the numbers.The reporting boundary is left undefined.Material changes since the previous period are not disclosed.Estimates and measured values are not distinguished.Source records for the figures are not identified.
Common gaps

Mistakes to avoid when collecting the data

Wrong owner asked
The team chases a central reporting contact instead of the business owner who actually tracks the action, measure, or incident in day-to-day operations.
Framework terms used too early
People ask for answers in disclosure language rather than the organisation’s own labels, so the source team cannot map the request to its normal records.
Scope left vague
The request does not pin down which business line, product, channel, or customer group is in scope, so different teams pull different populations.
+ Show 6 more

Where judgement is often needed

What counts as an action already in place
Decide whether to include only measures that are live in the reporting period or also those approved but not yet rolled out, and explain the cut-off you used.
How to handle a business bought or sold mid-year
State whether you include measures, incidents and tracking data only for the time the unit was under your control, and say how you treated any partial-period figures.
Where local rules use different labels for the same issue
Map country-specific terms to one internal set of categories, then disclose the mapping so readers can see how like-for-like issues were grouped.
+ Show 6 more
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — Consumer electronics retail

We tightened our controls around customer-facing data and product claims, while also tracking the effect on sales conversion and complaint volumes. - We refreshed our product-safety checks, added extra review steps for customer data handling, and required a pre-publication sign-off for promotional content that could be misleading or overly aggressive. - For privacy, safety and misinformation risks, we logged the action taken, noted where we had to balance stronger customer protection against faster campaign delivery, and reviewed the measures monthly through our compliance dashboard. - In the year, we recorded 3 incidents in total: 2 privacy breaches and 1 product safety issue; all were classed as low severity, with no high-severity cases.

This synthetic example shows how a retailer might describe practical controls, the main risk themes addressed, the trade-off between commercial speed and customer protection, the way performance is tracked, and the incident picture for the period.

Illustrative (synthetic) example — Online travel services

We strengthened our booking-platform safeguards, tightened how personal information is handled, and added clearer checks on promotional messages sent to customers. - The work covered safer account access, better data-handling controls, and review of marketing content where there was a risk of pressure-selling or inaccurate claims; the same actions were used to address privacy, safety and misinformation concerns. - We tracked the related indicators each quarter, including complaint rates, blocked risky content, and the share of staff completing refresher training, and we recorded the practical tension between higher conversion and stronger customer protection. - During the year we noted 4 incidents in total: 3 privacy-related events and 1 safety-related event; 3 were low severity and 1 was medium severity, with none assessed as severe.

This synthetic example shows how a service business might explain the measures it put in place, the risk themes they were meant to address, the operational indicators it follows, and the incident profile for the reporting period.

Company reportsReal published reports
Compare side by side →Get it free

How companies report S4-3 in practice

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

Globalvia
Ground Transportation — Highways and Railtracks · Spain · 2025
Open report →
Globalvia's 2025 Sustainability Report provides partial context on various spheres including employment, taxation, financial regulation, government contracts, privacy and data protection, environment, and occupational health and safety (p.74). However, the report lacks headline values or specific quantitative data related to these areas. Additionally, no clear narrative or numeric evidence directly addressing the disclosure was found elsewhere in the report.
SNCF Group
Ground Transportation — Railroads · France · 2025
Open report →
SNCF Group’s 2025 Full-Year Financial Report provides partial narrative context on safety procedures and related risks, mentioning topics such as abandonment of post and violations affecting privacy, reputation, and safety (p.156). The report references safety regulations overseen by the EPSF (p.38) and outlines safety policies, programmes, and action plans implemented across the Group, including targets for occupational first aiders in operational and functional teams (p.163, p.250). However, no headline values or specific quantitative data are presented, and there is no clear, quotable evidence directly addressing the full scope of the disclosure.
Redeia Corporación, S.A.
Electric Utilities / IPP / Energy Traders · Spain · 2025
Open report →
Redeia Corporación, S.A.'s 2025 report provides a specific safety performance metric, noting a decrease in accident rates among its own employees with a severity rate of 0.07 and frequency rate of 1.09 (p.98). There is some related contextual information on policies and processes concerning affected communities, including engagement and remediation, but these are not clearly disclosed or detailed (p.152). No quotable evidence was found for other narrative or numeric items related to this disclosure, indicating gaps in comprehensive reporting.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get practical answers for your reporting context. Your first two answers are free — join LRA Community for free to continue without a limit.
TryHow do I prepare S4-3?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
2 free answers
Check your understanding

Scenarios to work through

A consumer app team has fixed a privacy setting issue and added extra checks before new releases. The team also changed its ad review process after a complaint about misleading claims, but the draft report only mentions the privacy fix.

QShould you include both the privacy-related fix and the marketing review change, or only the most obvious action?
Reveal model answer →

A retailer has introduced extra product testing, clearer warning labels, and a staff training refresh after a safety complaint. The draft narrative lists the measures, but it does not explain which harm they are meant to reduce or how the business balanced sales pressure against tighter controls.

QDo you need to link the measures to the harm type and explain any tension between commercial goals and protection steps?
Reveal model answer →

A platform team tracks the number of privacy complaints, the number of safety-related reports, and the time taken to close each case. The team reviews the dashboard every month, but the report only says that monitoring happens without naming the measures used or how often they are checked.

QWhat level of detail should you give about the follow-up metrics and review cycle?
Reveal model answer →

A company had two incidents during the year: one privacy breach affecting 120 customers and one product safety issue affecting 8 customers. The draft report says there were incidents, but it does not separate the counts, the type of incident, or how serious each one was.

QHow should you present the incident information so it is useful for a reader?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

ESRS
S4-3
within ESRS S4: Consumers and End-users
Open official source →
Primary
Related & explore
Go deeper · S4-3
Learn to prepare this disclosure end-to-end

This guide covers one Disclosure Requirement. The ESRS / CSRD Reporting course walks the full European workflow — double materiality, datapoints, evidence and assurance — with exercises on your own data.

Available as Guided Flex, Live Cohort, 1:1 Expert Mentorship or Corporate Programme.

FAQ

Questions this page answers

How do I prepare disclosure S4-3 using the step-by-step guidance on this page?+
What datapoints do I need to collect for S4-3 on consumers and end-users?+
How should I define the scope and methodology for S4-3 before I draft the disclosure?+
Who should own the S4-3 data collection and sign-off process?+
What evidence do I need to make S4-3 assurance-ready?+
What are the common mistakes to avoid when preparing S4-3?+
How do I use the Prep & Assurance workbook for S4-3?+
How do I use the printable Library Card for S4-3?+
What does the synthetic example disclosure on S4-3 show me?+
How can I turn S4-3 data into a draft narrative and content-index line?+
More questions this page can help with
S4-3 consumers and end-users: what evidence pack items should I gather before assurance?S4-3 consumers and end-users: how do I map incident count, incident type, and incident seriousness into a draft?S4-3 consumers and end-users: what should I check in the assurance claims before sign-off?S4-3 consumers and end-users: how do I use the workbook to track controls, measures, and review cadence?S4-3 consumers and end-users: what are the most common reporting gaps on this page?S4-3 consumers and end-users: how do I decide which implemented actions and response actions belong in scope?S4-3 consumers and end-users: how should I document safety controls, privacy controls, and marketing safeguards?S4-3 consumers and end-users: how do I prepare a reviewer-friendly evidence trail from the page?S4-3 consumers and end-users: what can I use the synthetic example disclosure for?S4-3 consumers and end-users: how do I use the draft-output section to write the narrative?S4-3 consumers and end-users: is there a downloadable checklist or workbook for preparation?S4-3 consumers and end-users: does this page give a one-to-one ESRS or IFRS mapping?
How this library is built 312 published reports indexed 63171 pages with page-level citations 247 practitioner guides