ESG ratings are moving from a largely self-regulated market into a supervised one. The shift is driven by a basic market problem: ratings strongly influence capital allocation, yet methodologies, data sources, and conflicts of interest are often hard to assess. Regulators in the EU and UK are now building regimes designed to make ESG ratings more transparent, governed, and comparable where possible – without trying to standardize outcomes.
What’s actually being regulated
Both regimes are primarily targeting the activity of issuing, publishing, and distributing ESG ratings – not how investors use them.
The EU is first: authorization and ESMA supervision from 2026
The EU has already adopted an ESG Ratings Regulation, and the rules apply from July 2026. Providers offering ESG ratings in the EU will fall under direct ESMA supervision, rather than national regulators.
What that means in practice:
- Authorization/recognition becomes a gate to operate in the EU market.
- Disclosure requirements expand – covering methodology design, assumptions, data sourcing, and limitations.
- Governance and organisational requirements harden – roles, controls, recordkeeping, and analyst competence become part of the supervisory perimeter.
- Conflict management becomes structural, including restrictions on issuing ESG ratings from the same legal entity as credit ratings, and limits on mixing certain activities.
One detail that signals where regulators are going: EU disclosures explicitly call out the use of AI in data collection or the rating process, including limitations and risks – suggesting transparency expectations will extend into model design choices, not just inputs.
The UK is following a similar direction – but on a longer runway
The UK has confirmed it will bring ESG ratings providers into the regulatory perimeter. HM Treasury has published a consultation response and draft legislation, after which the FCA will define the detailed rules and the authorization process. The UK government has indicated the end-to-end timeline could take up to four years depending on implementation and application volume.
The FCA is already consulting on its proposed approach and has stated that, from 29 June 2028, firms providing certain ESG ratings in the UK will need FCA authorization.
Why this matters beyond ratings firms
1) For investors and ratings users
Regulation should improve baseline robustness – making it easier to evaluate:
- what a rating is actually measuring (risk, impact, or both)
- how the model weights E/S/G components
- where data is sourced from and where assumptions dominate
2) For companies being rated
As regimes mature, expect:
- more structured routes to challenge factual errors
- more consistent disclosures about what drove a score/opinion
- a higher likelihood that ratings methodologies are referenced in investor and lender diligence
The biggest strategic implication: business models will be re-priced
For providers, compliance won’t be just a legal exercise – it will change unit economics and operating design:
- Multi-activity firms (ratings + advisory/consulting/data) will need clearer separation, controls, and governance to manage conflicts.
- Data and methodology transparency will become a competitive differentiator – because it will be supervised and comparable.
- Cross-border access becomes more complex. In the EU, third-country providers may need equivalence, endorsement via an EU entity, or recognition with an EU legal representative accountable to ESMA.
A “no-regrets” readiness checklist
If you’re a provider (or a business unit that produces ESG scores/opinions), these are the moves that pay off regardless of final rule detail:
- Map whether you’re in scope. What counts as an ESG rating/opinion/score in your product set?
- Inventory conflicts and separation requirements. Where do you mix ratings with consulting, assurance, benchmarks, or other services – and what separation controls exist today?
- Industrialize your methodology transparency. Document methodology, data sources, weighting logic, time horizons, limitations, and how AI is used (if applicable).
- Upgrade governance and recordkeeping. Clear roles/responsibilities, analyst competence standards, and record retention processes.
- Build the authorization playbook. EU: start planning for ESMA authorization/recognition and the RTS detail still to come. UK: track FCA consultation outcomes and plan for the authorization window ahead of 2028 applicability.
