Supplying to US companies? Here's what you need to know about SB 253, SB 261, and SEC climate rules.
California's landmark climate disclosure laws โ SB 253 and SB 261 โ are reshaping what large US companies must report. As their supplier, you will be asked for emissions data and climate risk information. This guide explains what's required and when.
Key regulations in the USA
SB 253 โ Climate Corporate Data Accountability Act
Requires companies with over $1 billion in annual revenue doing business in California to publicly disclose their Scope 1, 2, and 3 greenhouse gas emissions. Scope 3 includes emissions from the entire supply chain โ meaning your buyers will need your emissions data to comply.
SB 261 โ Climate-Related Financial Risk Disclosure
Requires companies with over $500 million in annual revenue doing business in California to disclose climate-related financial risks in line with TCFD recommendations. As of April 2026, the Ninth Circuit is reviewing the district court's denial of a preliminary injunction motion โ no injunction has been confirmed. Enforcement timeline remains uncertain pending the court's decision.
SEC Climate Disclosure Rule
The US Securities and Exchange Commission proposed mandatory climate risk disclosures for public companies. The rule has been stayed pending legal challenges. Large public companies are preparing voluntarily in anticipation of eventual enforcement.
CARB โ California Air Resources Board
CARB is the enforcement body for SB 253. It is developing the reporting registry and verification standards. Non-compliance penalties have not yet been finalised but are expected to be significant.
CIRCIA โ Cyber Incident Reporting for Critical Infrastructure Act 2022
CIRCIA requires covered entities in 16 critical infrastructure sectors to report significant cyber incidents to CISA within 72 hours of reasonable belief that an incident has occurred, and ransomware payments within 24 hours of payment. CISA is developing final rules defining covered entities and reportable incidents. Organisations supplying to US critical infrastructure operators should prepare for cybersecurity due diligence requests.
SEC Cybersecurity Disclosure Rules
The SEC requires public companies to disclose material cybersecurity incidents on Form 8-K within 4 business days of determining materiality. Companies must also annually disclose their cybersecurity risk management processes in Form 10-K. This creates significant supply chain pressure: public companies will increasingly assess and disclose the cybersecurity posture of their key suppliers as part of their own risk management disclosures.
What this means for you as a supplier
If any of your customers are US companies with over $1 billion in annual revenue doing business in California, they are legally required to report their Scope 3 emissions โ which includes your emissions. You will receive requests for your Scope 1 and Scope 2 data, and potentially your own supply chain emissions. Prepare now by calculating your GHG footprint and documenting your methodology.
Key dates
FY 2025
Covered companies begin collecting Scope 1 & 2 data
August 10, 2026
First Scope 1 & 2 reports due to CARB (confirmed deadline)
FY 2026
Covered companies begin collecting Scope 3 data
2027
First Scope 3 reports due โ your emissions data will be requested
Last reviewed: April 2026. This guide is for general information only and does not constitute legal advice. Regulations change โ verify current requirements with a qualified adviser.
Received an SB 253 supplier questionnaire?
Download our free SB 253 Supplier Response Checklist โ a step-by-step guide to answering US buyer requests.