Why IT is the Backbone of Business Continuity—and Why It Must Be Part of CSRD Reporting
Picture this: You’re at the supermarket, ready to check out, and suddenly, the payment system crashes. Chaos ensues. Abandoned carts multiply. Frustrated customers leave. Now, scale that up to an e-commerce giant on Black Friday, a multinational bank on payday, or a hospital managing critical patient data.
IT failure isn’t just an inconvenience—it’s a business disaster.
Yet, when companies conduct their double materiality assessments under the Corporate Sustainability Reporting Directive (CSRD), IT often gets sidelined. Businesses analyze supply chain emissions, workforce well-being, and climate risks, but somehow overlook the very technology that keeps everything running.
This needs to change.
IT is not just a support function—it’s a strategic pillar of business continuity and sustainability. If CSRD is about recognizing key financial and environmental risks, then ignoring IT is like ignoring fire safety in a skyscraper—a risky oversight.
IT: A Critical Business Lifeline That’s Missing in CSRD
IT does more than just keep the WiFi from crashing. It ensures that:
Retailers and e-commerce platforms stay online because an outage on Black Friday is a financial nightmare.
Banks process transactions securely because a five-minute failure could disrupt global financial markets.
Hospitals manage patient records efficiently because in healthcare, an IT breakdown can be life-threatening.
Yet, many companies fail to include IT in their CSRD reports—often because they:
Underestimate IT’s environmental impact.
Fail to recognize that IT failures pose a serious financial risk.
Let’s break down why leaving IT out of CSRD is a critical mistake.
When IT Crashes, Business Crashes: The Cost of Downtime
CSRD requires companies to assess risks that impact long-term sustainability and financial health. IT disruptions fit this definition perfectly.
High-Profile IT Failures That Cost Millions
Target’s 2019 Payment System Meltdown
A two-hour outage across all U.S. stores left customers unable to pay. Shoppers abandoned carts, leading to an estimated $50 million loss in just 120 minutes. No cyberattack, no hacking—just an IT glitch that wiped out a day’s worth of revenue.
British Airways’ 2017 IT Breakdown
A power surge took down their entire IT infrastructure, grounding hundreds of flights. Seventy-five thousand passengers were stranded, millions were lost in refunds, and the total financial impact exceeded $100 million. The IT failure was so bad that luggage went missing for weeks.
RBS’s 2012 Banking Disaster
A failed software update locked millions of customers out of their accounts. Mortgage payments failed, salaries went unpaid, and businesses lost revenue. RBS ended up paying $200 million in compensation—a high price for IT negligence.
These cases prove a critical point: IT is not an isolated function—it’s the backbone of business resilience. If CSRD reporting is about risk assessment, IT must be included.
Why IT Needs to Be Part of CSRD’s Double Materiality Framework
The CSRD framework requires companies to assess sustainability through double materiality:
Financial Materiality – How sustainability factors impact the company’s financial health and long-term resilience.
Impact Materiality – How the company’s operations affect the environment and society.
IT falls into both categories—yet it is often missing from CSRD assessments.
IT Failures = Serious Financial Risks
IT disruptions are not just technical glitches—they are business risks:
Cybersecurity breaches result in regulatory fines, legal battles, and reputational damage.
System outages cause revenue losses, stock price drops, and customer churn.
Inefficient IT management increases operational costs over time.
If CSRD requires companies to report climate risks, supply chain vulnerabilities, and financial risks, why exclude IT—a critical enabler of business continuity?
IT’s Carbon Footprint Is Bigger Than You Think
Ignoring IT’s environmental impact in CSRD reporting is like counting factory emissions but ignoring the massive data centers powering global operations.
Data centers consume 1-2 percent of global electricity—as much as the entire aviation industry.
The global IT sector emits more CO₂ than airlines.
Older data center cooling systems contribute to CO₂eq emissions primarily through energy consumption. The use of PFAS in certain cooling technologies adds another layer of environmental concern, prompting the industry to seek alternative, more sustainable solutions.
E-waste is the fastest-growing waste stream, hitting more than 50 million metric tons annually.
Companies disclosing Scope 1, 2, and 3 emissions under CSRD must include IT infrastructure, cloud computing, and hardware usage.
How Companies Can Start Including IT in CSRD Reporting
To accurately reflect IT’s role in sustainability, companies should:
Include IT in double materiality assessments—evaluating both financial risk and environmental impact.
Track and report IT-related carbon emissions—data center energy use, cloud sustainability, and device lifecycle management.
Improve IT governance for sustainability—ensuring IT investments align with ESG (Environmental, Social, and Governance) goals.
Implement circular economy practices—reducing e-waste through hardware refurbishment, resale, and sustainable procurement.
IT is too critical to be ignored. If CSRD is about transparency and risk mitigation, businesses must start treating IT as both a risk factor and a sustainability opportunity.
Final Thoughts: IT as a CSRD Priority, Not an Afterthought
IT is not just a technical function—it’s the backbone of modern business continuity. Every transaction, supply chain, and customer interaction depends on resilient IT infrastructure.
CSRD was designed to capture what truly matters in a company’s sustainability and risk strategy. Yet, IT—the digital nervous system of every organization—is often missing from the conversation.
If businesses fail to include IT in their CSRD reporting, they are leaving a massive blind spot in their sustainability and risk assessments.
So, next time someone says, “IT doesn’t need to be in CSRD,” remind them of Target’s payment disaster, British Airways’ flight chaos, and RBS’s banking nightmare—and ask if they’d be comfortable ignoring those risks in sustainability disclosures.
Because IT isn’t just about technology—it’s about business survival.
Bonus: The Blackout Protocol: A Government Data Center Horror Story
The Omega Facility was an aging government data center, the kind of place where time stood still. Originally built in the 1990s, it had been expanded, patched, and neglected in equal measure. It was supposed to power the National Financial Stability Office, the nerve center for monitoring and regulating the country’s financial systems. But behind the official reports and confident assurances, Omega was a disaster waiting to happen.
Nobody talked about compliance. The facility should have been up to standards like DORA, NIS2, and ISO 27001, but audits were rare and follow-up actions even rarer. Everything about the place screamed “temporary fix”—except the fixes had been in place for decades.
And then, one night, everything went wrong.
Day Zero: The First Spark
It started with a routine systems update—or at least, that’s what the overnight technician thought. A ransomware worm had slipped through an unpatched firewall vulnerability, but the real danger wasn’t the cyberattack itself. The true catastrophe was waiting in the physical infrastructure.
At 2:37 AM, an unnoticed cooling failure started a chain reaction. The server room’s aging air conditioning unit—held together with zip ties and wishful thinking—sputtered and died. The sensors should have sent an alert, but the monitoring system had been running on outdated firmware that no one had updated in years.
Temperatures climbed. Wires baked inside tangled nests of neglected cabling. A single overloaded circuit—one that should have tripped a breaker—held on just long enough to start a small, unseen fire inside a rack of aging hard drives.
By the time anyone realized what was happening, the damage had already begun.
Day One: Total System Failure
As the sun rose, banks failed to open. Customers refreshing their banking apps were met with spinning wheels and error messages. ATMs refused withdrawals. Supermarkets, gas stations, and public services—all frozen in place, waiting for systems that wouldn’t come back online.
Inside Omega, the overnight team fought to regain control. Someone tried to switch to the backup generator—but it had never been properly tested. When they pressed the activation button, the generator choked, sputtered, and died.
The facility’s cabling was a disaster. Years of undocumented “temporary fixes” meant that no one could tell where half the power lines led. When the team tried to reroute power, they accidentally cut off the one remaining active server cluster.
That was when the main power supply failed completely.
The screens went dark. The silence was suffocating.
Day Two: Economic Collapse
Across the country, the effects spiralled out of control. Businesses couldn’t process payments. Public transportation systems failed. Panic set in. A desperate mob looted a cash distribution center, while in another city, gas stations erupted in riots as people realized credit card payments were useless.
At Omega, the few remaining technicians scrambled to assess the damage. The entire network storage system had corrupted beyond repair. Without backups—because someone had quietly cut them to save money years ago—there was no easy way to restore financial records.
The director of Omega stood in stunned silence. He knew the truth now: there was no recovery from this.
A single final message flickered on the last remaining monitor before it, too, went black:
"Compliance is not optional."
Then, the emergency lights failed, leaving the facility in absolute darkness.