How to Report Under ESRS S4: Consumers and End-Users for Non-Big 4 Auditors

What ESRS S4 actually covers

ESRS S4 is the social standard most companies underestimate. It sits alongside S1 (Own Workforce), S2 (Workers in the Value Chain), S3 (Affected Communities), and the environmental topical standards in the ESRS architecture, but its scope is different. S4 doesn’t ask about your client’s employees or supply chain workers. It asks about the people who buy and use the client’s products or services.

Paragraph 2 lists the sub-topics the materiality assessment should consider. The amended ESRS explicitly specifies them as information-related impacts (privacy, access to information, freedom of expression), personal safety of consumers and end-users (product health and safety, personal security, protection of children), and social inclusion (non-discrimination, access to products and services). In practice, these categories determine which S4 disclosures apply. If the DMA identifies data privacy as the only material sub-topic, the client reports on S4 only for data privacy. When product safety is material but information-related impacts aren’t, the client can skip disclosures on privacy.

S4 draws a boundary that matters for your engagement. It covers impacts arising from the undertaking’s own operations and value chain, including through its products and services. It does not cover the illegal use or misuse of products by consumers. If a pharmaceutical company makes a drug that is safe when used as directed but harmful when abused, the abuse falls outside S4’s scope. Your client doesn’t need to report on impacts it cannot control. The amended ESRS made this exclusion explicit.

Where S4 interacts with other standards, the social standard architecture applies. ESRS 2 SBM-3 requires the undertaking to disclose how material consumer impacts interact with its strategy and business model. S4 AR 6 (application guidance, original numbering) provides examples: a business model built on online platforms creates potential for online and offline harm to users, while a sales-incentive structure that pushes products beyond what consumers need creates potential for mis-selling. When the DMA identifies consumer impacts, we check whether the strategy and business model discussion in ESRS 2 addresses them. If not, the sustainability statement has a structural gap.

How your client determines whether consumer impacts are material

The double materiality assessment for S4 uses the same ESRS 1 Chapter 3 framework as all other topical standards. Your client assesses impact materiality by severity (scale, scope, irremediability) and likelihood for potential impacts. Financial materiality asks whether consumer-related risks could affect the undertaking’s financial position, performance, cash flows, or access to finance.

What makes S4’s DMA different from the environmental standards is that the starting point is the product or service, not the operational site. For E3 or E4, you screen locations against water stress maps or biodiversity databases. For S4, you screen the client’s product portfolio against the sub-topics in paragraph 2. A food manufacturer needs to assess product safety. A SaaS company needs to assess data privacy. A children’s toy manufacturer needs to assess child protection. A financial services firm needs to assess fair marketing and access to products.

Paragraph 10 (original numbering) requires the undertaking to disclose whether all consumers and end-users likely to be materially impacted have been identified, including those with particular characteristics that may put them at greater risk of harm. “Particular characteristics” means age, disability, socioeconomic status, or geographic location. A telecoms company selling mobile plans to elderly customers in rural areas has a different S4 risk profile than the same company selling enterprise connectivity to large corporate clients. So your assurance procedures should check whether the DMA considered vulnerable consumer groups, not just the average consumer.

At firms like ours, we find S4 materiality for mid-tier Dutch clients is concentrated in product safety and data privacy. Very few mid-sized Dutch companies have significant information-related impacts (freedom of expression, access to information) unless they operate digital platforms. A manufacturing client that concludes S4 is not material because it has “no direct consumer contact” may be wrong if its product ends up in consumer hands through a retail channel. The packaging manufacturer in the opening scenario is a good example: the end-user (the person eating food from the packaging) has a health and safety interest even though the manufacturer sells B2B.

Disclosure requirements in practice

The original 2023 S4 contained five disclosure requirements (S4-1 through S4-5). The December 2025 amended ESRS restructured and simplified them, merging S4-2 (Engagement) and S4-3 (Grievance mechanisms and remediation) into a single disclosure. The disclosure architecture follows the same Policies, Actions, Targets pattern as the other social standards, referencing ESRS 2’s General Disclosure Requirements (GDRs) as the baseline.

S4-1: Policies related to consumers and end-users

Paragraph 13 requires disclosure of the undertaking’s policies for managing material consumer-related impacts, risks and opportunities, following ESRS 2 MDR-P (now GDR-P in the amended ESRS). S4-specific requirements add layers that most clients don’t expect.

Paragraph 15 requires the undertaking to describe its human rights policy commitments relevant to consumers. This must include processes and mechanisms to monitor compliance with the UN Guiding Principles on Business and Human Rights (UNGPs), the ILO Declaration on Fundamental Principles and Rights at Work, or the OECD Guidelines for Multinational Enterprises. Per paragraph 15’s sub-requirements, the policy must address respect for consumer human rights, engagement with consumers, measures to provide or enable remedy for human rights impacts, and how compliance with these commitments is monitored.

In our experience, this is where the gap is widest. Most mid-market companies have product quality policies and data protection policies (GDPR compliance). Almost none frame these as human rights policies. A GDPR privacy policy satisfies some of S4-1’s requirements for the data privacy sub-topic, but it doesn’t address the broader human rights framing that paragraph 15 demands. We map the client’s existing policies against S4-1’s specific requirements and flag where the framing or coverage falls short. The amended ESRS didn’t remove this human rights alignment requirement. It’s genuinely frustrating for clients who assumed GDPR compliance was enough, and they push back hard on the idea that a privacy policy needs a human rights wrapper.

S4-2/S4-3: Engagement, grievance mechanisms, and remediation (merged in amended ESRS)

Originally S4 had separate disclosure requirements for engagement with consumers (S4-2, paragraph 20) and grievance/remediation processes (S4-3, paragraph 24). The amended ESRS merged these into a single disclosure, requiring the undertaking to describe how it engages with consumers, what channels exist for raising concerns (including formal grievance mechanisms), how the company provides remediation when it has caused or contributed to a material adverse impact, and how it assesses the effectiveness of those channels.

Specifically, the amended version requires an assessment of effectiveness referencing the criteria in UNGP Principle 31 on non-judicial mechanisms: legitimacy, accessibility, predictability, equitability, transparency, rights-compatibility, and being a source of continuous learning. In practice, a customer complaints hotline satisfies part of this requirement, but only if the company can demonstrate it assessed the hotline’s effectiveness against those criteria. A complaint form buried on page four of a website with no response time commitment and no tracking of resolution outcomes will be a finding in your assurance procedures.

For B2B companies where the “consumer” is another business, engagement and grievance mechanisms look different. Your client may engage through account management rather than a consumer hotline. The grievance mechanism may be the contractual dispute resolution clause. We check that the disclosure describes the actual mechanisms in use, not a generic description copied from a template. A similar challenge exists in ESRS G1 (Business Conduct), where supplier grievance mechanisms often look very different from the consumer-facing channels S4 envisions.

S4-4: Actions and resources

Paragraph 28 (original numbering) requires the undertaking to describe actions taken to prevent or remediate material negative impacts on consumers. It must also describe how it tracks the effectiveness of those actions.

The amended ESRS adds a specific requirement to explain how impacts are managed when tensions arise between consumer protection and commercial pressures. This is new and pointed. It asks, for example, whether the client’s marketing practices ever conflict with consumer safety (promoting products beyond their intended use), or whether data monetisation practices conflict with privacy commitments. Check whether the draft sustainability statement addresses this tension directly. If the client’s revenue model depends on personal data collection (as many digital businesses do), the tension between commercial interest and privacy protection is a disclosure point under the amended S4-4.

Your client must also disclose what resources are allocated to managing consumer-related impacts. As with the environmental standards, this means verifiable financial figures (CapEx or OpEx), not general statements about “investing in consumer safety.”

S4-5: Targets

Paragraph 35 (original numbering) requires the undertaking to disclose time-bound, outcome-oriented targets related to reducing negative impacts on consumers or managing material risks and opportunities.

Neither ESRS nor ISSB requires targets specifically for business conduct, and S4 is similar in that target-setting is relatively undeveloped for consumer impacts. Many companies in their first year of CSRD reporting will have no consumer-specific targets. Under the amended ESRS, if no targets exist, the undertaking should explain why and state whether it plans to set them. Having no targets in year one is far better than inventing PIOOMA numbers that lack baselines and tracking mechanisms. Appears reasonable. Waive further pursuit, as long as the explanation is documented.

What changed under the December 2025 Omnibus amendments

S4 received the third-largest datapoint reduction in the Omnibus simplification. The ERM analysis identified a 63.6% reduction in mandatory datapoints, behind only E4 (77.8%) and E3 (70.4%).

We see four changes that matter for your engagement.

S4-2 and S4-3 merged. Engagement with consumers and grievance/remediation processes are now disclosed together. This eliminates the repetition that plagued first-year reports, where companies described stakeholder engagement twice (once under S4-2, once partially duplicated under S4-3). The merged disclosure follows the UNGP sequencing: engagement, then channels for raising concerns, then remedy, then effectiveness assessment.

Scope exclusion clarified. The amended ESRS states explicitly that unlawful use or misuse of products by consumers falls outside S4’s scope. This was implicit in the original standard but caused confusion, particularly for pharmaceutical and gambling companies that faced questions about whether consumer abuse of their products required S4 reporting.

Overlap with ESRS 2 reduced. The original S4 repeated governance and impact, risk, and opportunity (IRO) process requirements already covered in ESRS 2. The amended version removes those duplications and references ESRS 2 directly. When your client previously had overlapping text in its ESRS 2 and S4 sections, the amended standard lets them consolidate.

Human rights incident reporting clarified. The amended S4 requires indication of whether human rights incidents connected to consumers have been identified, within confidentiality limits. This aligns with SFDR principal adverse impact indicator #14 (“Number of identified cases of severe human rights issues and incidents”). The disclosure is binary in the first instance: yes or no, incidents were identified. If yes, the undertaking describes the nature and outcome within the bounds of legal confidentiality.

The Quick Fix delegated act (entered into force 13 November 2025) also affects S4 directly. All Wave 1 companies can now apply the phase-in provision for S4, which previously applied only to companies with 750 or fewer employees. So Wave 1 reporters can defer full S4 reporting for FY2025 and FY2026, though they must still provide summarised information if consumer impacts are material.

Worked example: Groot Verpakkingen B.V.

Groot Verpakkingen B.V. is a food packaging manufacturer based in Amersfoort, Netherlands, with €52M revenue and 145 employees. The company produces plastic and cardboard packaging for dairy products, sold B2B to food producers across the Benelux. End-users are consumers who handle the packaging when purchasing and consuming dairy products. The packaging comes into direct contact with food.

A reviewer opening this file sees one material sub-topic (personal safety), a policy with a new human rights addendum, a grievance mechanism with a documented gap, verified CapEx on testing equipment, and a measurable target with a clear baseline. That is proportionate for a mid-sized B2B manufacturer, and it is the kind of file you can sign off on without going back for rework.

Practical checklist for your next CSRD engagement

Common mistakes in first-year S4 filings

• Treating GDPR compliance as the entire S4 disclosure. Data privacy is one sub-topic within S4’s scope. Paragraph 15 requires human rights policy commitments that go beyond regulatory compliance. A company can be fully GDPR-compliant and still have an incomplete S4-1 disclosure if its policy doesn’t address the engagement and remediation requirements in paragraphs 15(a) through (c).
• Ignoring B2B consumer impacts. The amended S4 covers consumers and end-users of the undertaking’s products and services, including through the value chain. A component manufacturer whose product ends up in a consumer device has a potential S4 interface. So does a chemicals company whose products are used in consumer goods. Your DMA should consider these downstream pathways even if the client sells exclusively B2B.
• Describing intentions as actions under S4-4. Planned improvements are targets (S4-5). Completed measures with allocated resources are actions (S4-4). Mixing them produces a sustainability statement where a reviewer can’t tell what actually happened in the reporting period.
• Omitting the tension between commercial and consumer interests. The amended S4-4 specifically asks how the company manages conflicts between consumer protection and commercial pressures. First-year reporters frequently skip this requirement, either because it feels uncomfortable or because the sustainability team isn’t aware the commercial tension disclosure exists.

Related content

• Double materiality assessment covers how the DMA process works across all ESRS topical standards, including specific considerations for social standards where the starting point is the affected stakeholder group rather than operational sites.
• IFRS 9 ECL Calculator is relevant for financial services clients where consumer lending practices create S4 exposure (fair marketing, access to products, over-indebtedness risk) and where expected credit loss calculations intersect with ESRS financial materiality.
• ESRS S1 own workforce reporting guide covers the parallel social standard for employees, which shares S4’s architecture (policies, engagement, grievance, actions, targets) but applies to the client’s own workers rather than consumers.
• How to report under ESRS E3: Water and marine resources is the environmental standard that most closely parallels S4’s scope challenge: determining materiality for an impact category where most mid-market companies haven’t previously collected structured data.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• ESRS S4 (Consumers and End-Users) is the topical standard governing all consumer-related sustainability disclosures under the CSRD.
• ESRS 1 (General Requirements), Chapter 3, sets out the DMA framework applicable to all topical standards including S4.
• ESRS 2 (General Disclosures) provides the baseline architecture through SBM-3 and the GDRs that S4 builds upon.
• UN Guiding Principles on Business and Human Rights (UNGPs) are the framework referenced by S4-1 paragraph 15 for consumer-related human rights policy commitments.