SB 261 is California’s landmark climate risk reporting law, requiring companies with over $500 million in annual revenue to publish biennial SB 261 climate risk reports starting in 2026, aligned with the TCFD framework or an approved equivalent.
This post breaks down:
What SB 261 requires
Who it applies to
What counts as climate-related financial risk
Reporting format and timelines
How this connects with SEC, CSRD, and ISSB regulations
What steps risk teams should take now
What Is SB 261?
Senate Bill 261 — passed in 2023 — requires large companies operating in California to publicly disclose climate-related financial risks and explain how they’re addressing them.
Unlike emissions-focused regulations (like SB 253), SB 261 focuses on the economic impact of climate change on the company itself — including both physical risks (like wildfires and floods) and transition risks (like policy changes, stranded assets, and customer shifts).
Which Companies Must Comply?
Requirement
Threshold
Entity Type
Public or private corporations, LLCs, partnerships
Revenue
Over $500 million USD (global annual revenue)
Geography
Must “do business” in California
Exemptions
Insurance companies regulated by the CA Department of Insurance
This applies to both U.S. and non-U.S. companies if they meet the revenue and presence thresholds.
What Is a Climate-Related Financial Risk Report?
Companies must prepare a public-facing, biennial report covering:
Identification of climate-related financial risks
Actions and strategies to mitigate or adapt to those risks
The definition of “climate-related financial risk” is broad. It includes material risks to operations, supply chains, employees, customers, capital investments, and market valuation — caused by climate impacts or the transition to a low-carbon economy.
Reporting Standards: TCFD, IFRS S2, or Equivalent
SB 261 aligns with globally recognized standards:
Primary framework: Task Force on Climate-related Financial Disclosures (TCFD)
Also accepted: IFRS Sustainability Disclosure Standards (IFRS S2)
Equivalents allowed: SEC climate disclosure rules (once finalized), other government mandates
The report must include TCFD’s four pillars:
TCFD Pillar
What It Covers
Governance
Who’s responsible for managing climate risks?
Strategy
What are the actual and potential impacts of climate change?
Risk Management
How are climate risks identified and managed?
Metrics & Targets
How are risks measured and progress tracked?
Disclosure Timeline and Publication Requirements
Requirement
Date
First report due
January 1, 2026
Update frequency
Every 2 years
Publication method
Company’s website (public access required)
Consolidated reporting
Allowed at parent level if subsidiaries meet threshold
Companies must submit their report to a state-designated climate reporting organization, which will produce an independent biennial review of public disclosures.
Penalties and Enforcement
Violation
Penalty
No report published
Up to $50,000 annually
Inadequate/incomplete disclosure
Same threshold, based on severity
Factors considered
Effort, timing, and compliance history
Companies must also pay an annual administrative fee to fund state oversight. Fee amounts will be published by CARB and adjusted annually for inflation.
How to Prepare: A Practical Path for Risk and Compliance Teams
1. Identify your exposure
Use climate scenario tools to map physical and transition risks
Focus on geographies, asset classes, energy dependencies, and critical suppliers
2. Align governance
Assign board-level oversight
Define internal responsibility and budget for climate risk
3. Choose your reporting framework
Use TCFD now, but prepare for convergence with ISSB or SEC standards
Document assumptions and gaps
4. Map risk to financial outcomes
Consider how risks impact cash flow, margins, asset values, insurance, and access to capital
5. Build reporting infrastructure
Centralize climate data collection
Tag risks by business unit and geography
Version-control your reports for public publication
6. Get ready for transparency
SB 261 disclosures are public — they will be read by investors, customers, and regulators
Treat them as part of your reputation and risk narrative
Sprih’s Support for SB 261 Disclosures
Sprih works with large enterprises to:
Align existing ESG and risk processes with SB 261’s requirements
Structure TCFD- or ISSB-based reports with investor-grade clarity
Create crosswalks between SB 253, SB 261, and CSRD/SEC formats
Map risks across business lines, suppliers, and financial statements
Maintain a defensible audit trail and publishing-ready reports
Our platform is already supporting global companies preparing for dual compliance across jurisdictions.
FAQs
What does SB 261 require companies to report?
SB 261 requires covered companies to publish a climate-related financial risk report every two years. The report must outline material physical and transition risks posed by climate change and describe the actions taken to mitigate or adapt to those risks. It must align with the TCFD framework or an equivalent standard.
Which companies are subject to SB 261 climate risk reporting?
Any company organized in the United States with annual revenue over USD 500 million and doing business in California must comply, with the sole exemption being insurance companies.
When must the first SB 261 risk report be submitted and how frequently thereafter?
The first risk report is due by January 1, 2026, and reports must be updated and published every two years thereafter.
What risks must be described in the SB 261 report?
The report must cover both physical risks—such as wildfires, floods, and heatwaves—and transition risks, including policy changes, carbon pricing, consumer shifts, and regulatory pressures.
How must SB 261 reports be published and made available?
Companies must make their SB 261 climate risk report available on their own publicly accessible website. CARB will engage a nonprofit to review disclosures and publish a biennial state-wide assessment.
What happens if a company cannot fully complete one or more sections of the report?
The company must explicitly state which sections are incomplete, explain why the data is unavailable, and outline the steps it will take to fill those gaps in future disclosures.
What are the penalties for non‑compliance with SB 261?
Companies that fail to publish a report or submit one deemed inadequate can face administrative penalties of up to USD 50,000 per reporting year. Enforcement considers whether the company made a good-faith effort, disclosed limitations, and outlined a compliance roadmap.
