How to Report Under ESRS S4: Consumers and End-Users for Non-Big 4 Auditors

What ESRS S4 actually covers

Your client manufactures food packaging for the European market. The sustainability team’s DMA flagged consumer health and safety as material because the packaging comes into direct contact with food products. The team drafted a two-page section for the sustainability statement that describes the company’s quality management system in generic terms and calls it the S4 disclosure. You open ESRS S4 paragraph 15 and realise it asks for human rights policy commitments aligned with the UN Guiding Principles. A quality management system isn’t a human rights policy. The gap is wider than the client thinks.

ESRS S4 is the social standard most companies underestimate. It sits alongside ESRS S1 (Own Workforce), S2 (Workers in the Value Chain), and S3 (Affected Communities) in the ESRS social pillar, but its scope is different. S4 doesn’t ask about your client’s employees or supply chain workers. It asks about the people who buy and use the client’s products or services.

ESRS S4 paragraph 2 lists the sub-topics the materiality assessment should consider. The amended ESRS explicitly specifies them as information-related impacts (privacy, access to information, freedom of expression), personal safety of consumers and end-users (product health and safety, personal security, protection of children), and social inclusion (non-discrimination, access to products and services). These categories determine which S4 disclosures apply. If the DMA identifies data privacy as the only material sub-topic, the client reports on S4 only for data privacy. If product safety is material but information-related impacts aren’t, the client can skip disclosures on privacy.

The standard draws a boundary that matters for your engagement. ESRS S4 covers impacts arising from the undertaking’s own operations and value chain, including through its products and services. It does not cover the illegal use or misuse of products by consumers. If a pharmaceutical company makes a drug that is safe when used as directed but harmful when abused, the abuse falls outside S4’s scope. Your client doesn’t need to report on impacts it cannot control. The amended ESRS made this exclusion explicit.

The interaction with other standards follows the social standard architecture. ESRS 2 SBM-3 requires the undertaking to disclose how material consumer impacts interact with its strategy and business model. ESRS S4 AR 6 (application guidance, original numbering) provides examples: a business model built on online platforms creates potential for online and offline harm to users; a sales-incentive structure that pushes products beyond what consumers need creates potential for mis-selling. If the DMA identifies consumer impacts, check whether the strategy and business model discussion in ESRS 2 addresses them. If not, the sustainability statement has a structural gap.

How your client determines whether consumer impacts are material

The double materiality assessment for ESRS S4 uses the same ESRS 1 Chapter 3 framework as all other topical standards. Impact materiality is assessed by severity (scale, scope, irremediability) and likelihood for potential impacts. Financial materiality asks whether consumer-related risks could affect the undertaking’s financial position, performance, or cash flows.

What makes S4’s DMA different from the environmental standards is that the starting point is the product or service, not the operational site. For ESRS E3 or E4, you screen locations against water stress maps or biodiversity databases. For S4, you screen the client’s product portfolio against the sub-topics in paragraph 2. A food manufacturer needs to assess product safety. A SaaS company needs to assess data privacy. A children’s toy manufacturer needs to assess child protection. A financial services firm needs to assess fair marketing and access to products.

ESRS S4 paragraph 10 (original numbering) requires the undertaking to disclose whether all consumers and end-users likely to be materially impacted have been identified, including those with particular characteristics that may put them at greater risk of harm. “Particular characteristics” means age, disability, socioeconomic status, literacy, or geographic location. A telecoms company selling mobile plans to elderly customers in rural areas has a different S4 risk profile than the same company selling enterprise connectivity to large corporate clients. Your assurance procedures should check whether the DMA considered vulnerable consumer groups, not just the average consumer.

For most non-Big 4 clients in the Netherlands, S4 materiality is concentrated in product safety and data privacy. Very few mid-sized Dutch companies have significant information-related impacts (freedom of expression, access to information) unless they operate digital platforms. The DMA should reflect this. A manufacturing client that concludes S4 is not material because it has “no direct consumer contact” may be wrong if its product ends up in consumer hands through a retail channel. The packaging manufacturer in the opening example is a good illustration: the end-user (the person eating food from the packaging) has a health and safety interest even though the manufacturer sells B2B.

The disclosure requirements in practice

The original 2023 ESRS S4 contained five disclosure requirements (S4-1 through S4-5). The December 2025 amended ESRS restructured and simplified them, merging S4-2 (Engagement) and S4-3 (Grievance mechanisms and remediation) into a single disclosure. The disclosure architecture follows the same Policies, Actions, Targets pattern as the other social standards, referencing ESRS 2’s General Disclosure Requirements (GDRs) as the baseline.

S4-1: Policies related to consumers and end-users

ESRS S4 paragraph 13 requires disclosure of the undertaking’s policies for managing material consumer-related impacts, risks and opportunities, following ESRS 2 MDR-P (now GDR-P in the amended ESRS). The S4-specific requirements add layers that most clients don’t expect.

Paragraph 15 requires the undertaking to describe its human rights policy commitments relevant to consumers. This must include processes and mechanisms to monitor compliance with the UN Guiding Principles on Business and Human Rights, the ILO Declaration on Fundamental Principles and Rights at Work, or the OECD Guidelines for Multinational Enterprises. The policy must address (per paragraph 15’s sub-requirements) respect for consumer human rights, engagement with consumers, and measures to provide or enable remedy for human rights impacts.

For your engagement, this is the disclosure where the gap is widest. Most mid-market companies have product quality policies, data protection policies (GDPR compliance), and customer complaint procedures. Almost none frame these as human rights policies. A GDPR privacy policy satisfies some of S4-1’s requirements for the data privacy sub-topic, but it doesn’t address the broader human rights framing that paragraph 15 demands. Your assurance procedures should map the client’s existing policies against S4-1’s specific requirements and flag where the framing or coverage falls short. The amended ESRS didn’t remove this human rights alignment requirement.

S4-2/S4-3: Engagement, grievance mechanisms, and remediation (merged in amended ESRS)

The original ESRS S4 had separate disclosure requirements for engagement with consumers (S4-2, paragraph 20) and grievance/remediation processes (S4-3, paragraph 24). The amended ESRS merged these into a single disclosure, requiring the undertaking to describe how it engages with consumers, what channels exist for raising concerns (including formal grievance mechanisms), and how the company provides remediation when it has caused or contributed to a material adverse impact.

The amended version requires an assessment of the effectiveness of these channels, referencing the criteria in Principle 31 of the UN Guiding Principles on non-judicial mechanisms (legitimacy, accessibility, predictability, equitability, transparency, rights-compatibility, and being a source of continuous learning). In practice, a customer complaints hotline satisfies part of this requirement, but only if the company can demonstrate it assessed the hotline’s effectiveness against those criteria. A complaint form buried on page four of a website with no response time commitment and no tracking of resolution outcomes will be a finding in your assurance procedures.

For B2B companies where the “consumer” is another business, the engagement and grievance mechanisms look different. The client may engage through account management rather than a consumer hotline. The grievance mechanism may be the contractual dispute resolution clause. Your procedures should check that the disclosure describes the actual mechanisms in use, not a generic description copied from a template. The parallel challenge exists in ESRS G1 (Business Conduct), where supplier grievance mechanisms often look very different from the consumer-facing channels S4 envisions.

S4-4: Actions and resources

ESRS S4 paragraph 28 (original numbering) requires the undertaking to describe actions taken to prevent, mitigate, or remediate material negative impacts on consumers. The undertaking must also describe how it tracks the effectiveness of those actions.

The amended ESRS adds a specific requirement to explain how impacts are managed when tensions arise between consumer protection and commercial pressures. This is a new and pointed requirement. It asks, for example, whether the client’s marketing practices ever conflict with consumer safety (promoting products beyond their intended use), or whether data monetisation practices conflict with privacy commitments. Check whether the draft sustainability statement addresses this tension directly. If the client’s revenue model depends on personal data collection (as many digital businesses do), the tension between commercial interest and privacy protection is a disclosure point under the amended S4-4.

The undertaking must also disclose what resources are allocated to managing consumer-related impacts. As with the environmental standards, this means verifiable financial figures (CapEx or OpEx), not general statements about “investing in consumer safety.”

S4-5: Targets

ESRS S4 paragraph 35 (original numbering) requires the undertaking to disclose time-bound, outcome-oriented targets related to reducing negative impacts on consumers, advancing positive impacts, or managing material risks and opportunities.

No ESRS standard and no ISSB standard requires targets specifically for business conduct, and S4 is similar in that target-setting is relatively undeveloped for consumer impacts. Many companies in their first year of CSRD reporting will have no consumer-specific targets. In the amended ESRS, if no targets exist, the undertaking should explain why and state whether it plans to set them. This is a legitimate disclosure. Having no targets in year one is far better than inventing targets that lack baselines and tracking mechanisms.

What changed under the December 2025 Omnibus amendments

ESRS S4 received the third-largest datapoint reduction in the Omnibus simplification. The ERM analysis identified a 63.6% reduction in mandatory datapoints, behind only E4 (77.8%) and E3 (70.4%).

The changes that matter for your engagement fall into four categories.

S4-2 and S4-3 merged. Engagement with consumers and grievance/remediation processes are now disclosed together. This eliminates the repetition that plagued first-year reports, where companies described stakeholder engagement twice (once under S4-2, once partially duplicated under S4-3). The merged disclosure follows the sequencing of the UN Guiding Principles: engagement, then channels for raising concerns, then remedy.

Scope exclusion clarified. The amended ESRS states explicitly that the unlawful use or misuse of products by consumers falls outside S4’s scope. This was implicit in the original standard but caused confusion, particularly for pharmaceutical, alcohol, and tobacco companies that faced questions about whether consumer abuse of their products required S4 reporting.

Overlap with ESRS 2 reduced. The original S4 repeated several governance, strategy, and IRO process requirements already covered in ESRS 2. The amended version removes those duplications and references ESRS 2 directly. If the client previously had overlapping text in its ESRS 2 and S4 sections, the amended standard lets them consolidate.

Human rights incident reporting clarified. The amended S4 requires indication of whether human rights incidents connected to consumers have been identified, within confidentiality limits. This aligns with SFDR principal adverse impact indicator #14 (“Number of identified cases of severe human rights issues and incidents”). The disclosure is binary in the first instance: yes or no, incidents were identified. If yes, the undertaking describes the nature and outcome within the bounds of legal confidentiality.

The Quick Fix delegated act (entered into force 13 November 2025) also affects S4 directly. All Wave 1 companies can now apply the phase-in provision for S4, which previously applied only to companies with 750 or fewer employees. This means Wave 1 reporters can defer full S4 reporting for FY2025 and FY2026, though they must still provide summarised information if consumer impacts are material.

Worked example: Groot Verpakkingen B.V.

Client profile: Groot Verpakkingen B.V. is a food packaging manufacturer based in Amersfoort, Netherlands, with €52M revenue and 145 employees. The company produces plastic and cardboard packaging for dairy products, sold B2B to food producers across the Benelux. End-users are consumers who handle the packaging when purchasing and consuming dairy products. The packaging comes into direct contact with food.

Step 1: Materiality assessment

Groot Verpakkingen’s DMA screens the product portfolio against S4’s sub-topics. Personal safety is material: packaging that contacts food must comply with EU Regulation (EC) No 1935/2004 on food contact materials. Chemical migration from packaging to food is a health risk. Information-related impacts (privacy, freedom of expression) are not material because the company collects no consumer data. Social inclusion is assessed as not material. The DMA concludes that S4 is material for the personal safety (health and safety) sub-topic only.

Step 2: Policies (S4-1)

Groot Verpakkingen has a product quality policy aligned with ISO 22000 (food safety management). The policy covers raw material sourcing (food-grade plastics and cardboard), production process controls (migration testing per EN 1186 series), and batch traceability. The company does not have a standalone human rights policy referencing the UN Guiding Principles.

The sustainability team drafts an addendum to the existing quality policy that frames food contact safety as a consumer health right and references the UN Guiding Principles’ expectation that businesses avoid causing adverse human rights impacts through their products. The addendum is approved by the management board in November 2024.

Step 3: Engagement and grievance (merged S4-2/S4-3)

Groot Verpakkingen doesn’t sell directly to consumers. Consumer engagement occurs through its B2B clients (the food producers), who handle consumer complaints. Groot Verpakkingen’s own grievance mechanism for product quality issues is a dedicated quality complaints inbox monitored by the QA manager. In 2024, the company received 12 quality complaints from B2B clients, of which two related to migration testing results outside specification. Both were resolved through batch recalls and root cause analysis within 30 days.

Step 4: Actions and resources (S4-4)

In 2024, Groot Verpakkingen invested €95,000 in upgraded migration testing equipment (gas chromatography system) and €32,000 in training its QA team on the revised EN 1186 testing protocols. The upgraded equipment reduced testing turnaround from five days to two days per batch, enabling 100% batch testing instead of the previous 40% sampling approach.

Step 5: Targets (S4-5)

Groot Verpakkingen has set a target of zero migration exceedances by the end of 2025 (defined as zero batches failing EN 1186 migration limits). The baseline is 2023, when two batches failed. In 2024, two batches failed (prior to the equipment upgrade in Q3). The target tracking mechanism is the QA batch testing log.

The completed S4 section for Groot Verpakkingen is tightly scoped. One sub-topic (personal safety), one policy with a new human rights addendum, one grievance mechanism with a documented gap, two concrete actions with verified financials, and one measurable target with a clear baseline. A reviewer sees a proportionate disclosure for a mid-sized B2B manufacturer.

Practical checklist for your next CSRD engagement

1. Screen the client’s product and service portfolio against ESRS S4 paragraph 2’s sub-topics: information-related impacts (privacy, freedom of expression, access to information), personal safety (health and safety, personal security, child protection), and social inclusion (non-discrimination, access to products and services). Document which sub-topics are material and which are not, with rationale for each.
2. Check whether the client has a human rights policy that specifically covers consumers (ESRS S4 paragraph 15). A GDPR privacy policy or ISO quality management policy may cover parts of the requirement, but S4-1 asks for alignment with the UN Guiding Principles on Business and Human Rights. Map the existing policies against paragraph 15’s sub-requirements and flag gaps.
3. For the merged engagement and grievance disclosure (amended S4-2/S4-3), verify that grievance mechanisms exist for consumers (direct or indirect). Check whether the company has assessed their effectiveness against UNGP Principle 31 criteria. If no formal effectiveness assessment exists, flag it as a disclosure gap.
4. Verify that S4-4 actions include verifiable financial resource allocations. A statement about “investing in consumer safety” without a corresponding figure is an incomplete disclosure under the amended ESRS.
5. If the client has no consumer-specific targets (S4-5), confirm the sustainability statement explains why and states whether targets are planned. An absence of targets in year one is legitimate if explained. An unexplained absence is a gap.
6. Cross-check the S4 disclosures against ESRS 2 SBM-3. If the DMA identified material consumer impacts, the strategy and business model discussion in ESRS 2 must address how those impacts interact with the business model. If SBM-3 discusses climate and supply chain but not consumer safety, the sustainability statement has a structural inconsistency.

Common mistakes in first-year ESRS S4 filings

• Treating GDPR compliance as the entire S4 disclosure. Data privacy is one sub-topic within S4’s scope. ESRS S4 paragraph 15 requires human rights policy commitments that go beyond regulatory compliance. A company can be fully GDPR-compliant and still have an incomplete S4-1 disclosure if its policy doesn’t address the engagement and remediation requirements in paragraphs 15(a) through (c).
• Ignoring B2B consumer impacts. The amended ESRS S4 covers consumers and end-users of the undertaking’s products and services, including through the value chain. A component manufacturer whose product ends up in a consumer device has a potential S4 interface. A chemicals company whose products are used in consumer goods has a potential S4 interface. The DMA should consider these downstream pathways even if the client sells exclusively B2B.
• Describing intentions as actions under S4-4. The same distinction that applies in the environmental standards applies here. Planned improvements are targets (S4-5). Completed measures with allocated resources are actions (S4-4). Mixing them produces a sustainability statement where a reviewer can’t tell what actually happened in the reporting period.
• Omitting the tension between commercial and consumer interests. The amended S4-4 specifically asks how the company manages conflicts between consumer protection and commercial pressures. First-year reporters frequently skip this requirement, either because it feels uncomfortable or because the sustainability team isn’t aware the commercial tension disclosure exists.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• ESRS S4, Consumers and End-Users: the topical standard governing all consumer-related sustainability disclosures under the CSRD.
• ESRS 1, General Requirements: Chapter 3 sets out the double materiality assessment framework applicable to all topical standards including S4.
• ESRS 2, General Disclosures: SBM-3 and the General Disclosure Requirements (GDRs) provide the baseline architecture that S4 builds upon.
• UN Guiding Principles on Business and Human Rights: the framework referenced by S4-1 paragraph 15 for consumer-related human rights policy commitments.