How Are ESG Rating Agencies Being Regulated?

For most of the history of ESG investing, rating agencies operated without regulatory oversight — producing assessments that influenced trillions of dollars in investment decisions while facing none of the disclosure requirements, conflict of interest rules, or supervisory scrutiny applied to credit rating agencies or investment advisers. That is changing. The EU's ESG Rating Regulation (Regulation 2024/3005), published in November 2024, established the first comprehensive regulatory framework for ESG rating agencies serving EU markets, requiring registration, methodology transparency, conflict of interest management, and supervision by ESMA. Other jurisdictions are watching and developing their own approaches.

Quick definition: ESG rating regulation refers to the regulatory framework requiring ESG rating agencies to meet standards for transparency, independence, and oversight when providing ESG assessments used by investors. The EU's 2024 regulation is the most comprehensive framework to date, requiring ESMA registration and imposing conduct requirements on providers serving EU investors.

Key takeaways

• The EU ESG Rating Regulation (effective from 2026 for firms with EU operations) requires ESG rating providers serving EU investors to register with ESMA, disclose their methodologies, manage conflicts of interest, and maintain organizational separation between rating and consulting activities.
• The regulation applies to both EU-based providers and non-EU providers whose ESG ratings are used by EU investors — creating extraterritorial reach similar to other EU financial regulation.
• The UK has developed its own voluntary ESG rating code of conduct (through the UK FCA) as a precursor to potential regulation; Japan and India have taken initial steps toward ESG rating oversight.
• The regulation does not mandate any specific ESG methodology — it regulates the process and governance of rating agencies rather than the content of their ratings.
• Key investor implications: ESG data providers serving EU markets must become more transparent about methodologies, making it easier for investors to understand what they are buying when they purchase ESG rating data.

The EU ESG Rating Regulation: Core Requirements

The EU's ESG Rating Regulation establishes a comprehensive framework modeled partly on the Credit Rating Agency Regulation (CRAR) and the Benchmark Regulation. Its core requirements:

Registration: ESG rating providers with 10 or more employees or equivalent revenue thresholds that market their ratings in the EU must register with ESMA. Registered firms are subject to ongoing supervisory oversight.

Methodology disclosure: Registered firms must publicly disclose:

• The methodologies and models used for ESG ratings
• Key assumptions and inputs
• The main factors and their relative weights
• Whether the rating is based on entity-led assessment (company questionnaire) or user-led assessment (third-party data)
• Limitations and uncertainties in the methodology

Conflict of interest management: The regulation requires:

• Structural separation of ESG rating activities from consulting, advisory, and other services provided to rated entities
• Policies for identifying and managing potential conflicts
• Disclosure of any material conflicts to subscribers

Independence and governance: Firms must maintain governance structures that protect the independence of ESG analysts from commercial pressure, including remuneration policies that do not link analyst pay to commercial outcomes with rated entities.

Engagement transparency: Firms must disclose the extent to which they engage with rated entities in the rating process and whether entity feedback can affect ratings.

EU ESG rating regulation framework

Extraterritorial Scope

The regulation's extraterritorial reach is significant: non-EU ESG rating providers whose ratings are used by EU institutional investors are subject to the regulation. There are several mechanisms:

Endorsement: A non-EU provider can have its ratings endorsed by an EU-registered entity, with the EU entity taking regulatory responsibility.

Equivalence: Non-EU providers in jurisdictions with equivalent regulatory frameworks can receive equivalence recognition from the EU Commission.

Direct registration: Non-EU providers can register directly with ESMA if they establish a legal presence in the EU.

Major non-EU providers including MSCI (US), Sustainalytics (Netherlands, now with US parent Morningstar), and S&P Global (US) are all subject to the regulation's requirements for their EU-market activities.

UK FCA ESG Rating Code of Conduct

The UK Financial Conduct Authority developed a voluntary code of conduct for ESG ratings and data products (published in December 2023 following IOSCO recommendations). The code addresses:

• Good governance of the rating or data product process
• Management of conflicts of interest
• Systems and controls
• Transparency of methodologies and approach to engagement with assessed entities

The voluntary code is a precursor to potential mandatory regulation. UK-based ESG rating providers and those serving UK institutional investors should monitor FCA communications on ESG data and ratings. Verify current FCA requirements at the FCA's website.

Global Regulatory Developments

Japan: Japan's Financial Services Agency (FSA) has published principles-based guidance for ESG rating and data product providers, covering transparency, management of conflicts of interest, engagement, and governance. Japan's approach is principles-based rather than registration-and-supervision based.

India: SEBI (Securities and Exchange Board of India) has implemented ESG rating regulations requiring accredited ESG rating providers operating in India to register and meet conduct standards. India's framework is notable as the first emerging market to formally regulate ESG rating agencies.

IOSCO recommendations: The International Organization of Securities Commissions issued recommendations for ESG rating and data product providers in 2021 — covering transparency, governance, conflicts of interest, and engagement. IOSCO recommendations influence regulatory development in member jurisdictions.

United States: The SEC has not enacted specific ESG rating regulation as of mid-2025, though its investment adviser ESG disclosure rules and fund labeling rules address related issues. US ESG rating providers face lighter regulatory requirements than EU or UK counterparts operating in those markets.

What Regulation Means for Investors

Better methodology transparency: Required methodology disclosure under EU regulation means investors can better evaluate what they are buying when they purchase ESG data from registered providers. Understanding how scores are constructed — weights, data sources, scope — becomes less dependent on voluntary provider transparency.

Reduced conflict of interest risk: Required separation of rating and consulting activities reduces the most direct forms of conflict of interest, though investors should continue to assess other potential conflicts in their data providers' business models.

Regulatory liability for providers: ESG data providers subject to ESMA supervision face regulatory consequences for methodology failures or conflict violations. This creates accountability that voluntary commitments do not.

More comparable products: As regulatory requirements standardize minimum disclosure for methodology, comparison across ESG rating providers becomes somewhat easier — though significant methodology differences will persist as regulation governs process, not content.

Common mistakes

Assuming EU regulation affects all ESG data globally: The EU regulation affects providers serving EU investors. Providers that do not market to EU investors may operate under their domestic regulatory frameworks, which may be less stringent. Investors should check whether their specific ESG data providers are subject to EU regulation requirements.

Treating regulatory compliance as evidence of quality: Regulatory registration means a provider meets minimum process and governance standards. It says nothing about whether their methodology accurately captures ESG quality. A registered provider with a poor methodology is better governed than an unregistered one — but that is a low bar for investment quality.

Ignoring the transition period: The EU regulation's full implementation timeline extended through 2026–2027 for most requirements. Investors should track whether their data providers are progressing toward compliance. Verify current implementation status with providers and at esma.europa.eu.

FAQ

What happens to ESG data providers that don't register with ESMA?

Non-EU providers that choose not to register and do not use endorsement or equivalence mechanisms would be prohibited from marketing their ESG ratings to EU institutional investors. Given the size of EU institutional markets, most major providers are expected to comply — either through direct registration or through EU-registered subsidiaries.

Does ESG rating regulation mandate any specific ESG methodologies?

No — the regulation is process-based, not content-based. It requires transparency about whatever methodology a provider uses, not adoption of any specific methodology. Two registered providers can use completely different ESG methodologies and both be in regulatory compliance. Methodology differences — which drive rating divergence — are not regulated.

How does ESG rating regulation interact with SFDR?

SFDR regulates investment funds and managers — requiring disclosure of how ESG risks are integrated and classification of funds with sustainability claims. ESG rating regulation covers the providers of ESG data that fund managers use. They are complementary: SFDR creates demand for reliable ESG data; ESG rating regulation improves the standards for providers of that data.

Will ESG rating regulation reduce rating divergence?

Probably marginally. Methodology disclosure requirements make it easier to understand why providers disagree — but do not reduce the fundamental sources of disagreement (scope choices, measurement approaches, weighting). Divergence reflects genuine methodological differences among credible providers; regulation standardizes process, not content.

What should investors ask their ESG data providers about regulation?

Key questions: Are you registered with ESMA? If not, are you using endorsement or equivalence? What methodology disclosures are you making under the regulation? How have you separated your rating activities from any consulting activities? What is your timeline for full regulatory compliance? The answers provide visibility into how providers are navigating regulatory requirements and their organizational approach to independence.

Related concepts

• ESG Rating Conflicts of Interest
• ESG Rating Transparency
• Europe vs. US ESG Divergence
• How ESG Ratings Work
• Future of ESG Ratings
• ESG Glossary

Summary

ESG rating regulation is an emerging global development, led by the EU's 2024 ESG Rating Regulation that requires ESMA registration, methodology disclosure, conflict of interest management, and governance requirements for providers serving EU investors. The regulation's extraterritorial reach means most major global ESG data providers must comply with EU requirements for their EU-market activities. The UK has developed a voluntary code as a precursor to potential mandatory regulation; Japan, India, and IOSCO have developed principles-based frameworks. Regulation improves process governance and transparency without mandating specific methodologies — it addresses how ESG ratings are produced rather than what they measure, leaving the fundamental sources of rating divergence unchanged.

Next

→ Using Multiple ESG Raters