ARTICLE • 5 min

California SB261: Who Needs to Comply and What Does a Climate Risk Report Actually Require?

July 2, 2026

California's SB261, the Climate-Related Financial Risk Act, came into effect in 2024, but the compliance picture in 2026 is more complicated than many companies expected. The statute's original January 1, 2026 reporting deadline is no longer operative. At the same time, SB261's companion law, SB253, remains on a firmer footing, though its own first-year deadline has just shifted: on June 24, 2026, CARB announced it intends to defer the Scope 1 and 2 emissions reporting deadline from August 10 to November 10, 2026, pending a short public comment period and final approval by the Office of Administrative Law. 

For sustainability leaders at US companies, these two laws together represent the most practically significant climate disclosure obligations to arrive in the domestic market — and both continue to be widely misunderstood in terms of who they apply to, what they require, and where things currently stand.

This article cuts through the ambiguity. It covers who is in scope, what a compliant SB261 report needs to contain, how SB261 relates to other frameworks you may already be reporting against, where the litigation stands, and the common mistakes companies are making right now.

What Is SB261?

SB261 — formally the Climate-Related Financial Risk Act — was signed into California law in October 2023. It requires large companies doing business in California to publicly disclose their climate-related financial risks, in line with the TCFD (Task Force on Climate-related Financial Disclosures) framework.

SB261 sits alongside California's other major climate disclosure law, SB253 (the Climate Corporate Data Accountability Act), which focuses on greenhouse gas emissions reporting across Scopes 1, 2, and 3. While SB253 governs emissions data, SB261 is specifically about climate risk — how physical and transition risks could materially affect a company's business, operations, and financial position.

Who Needs to Comply with SB261?

SB261 applies to companies that meet both of the following criteria:

  • Annual revenues exceeding $500 million
  • Doing business in California — a standard that CARB has now formally defined via its February 2026 regulations as actively engaging in transactions for financial or pecuniary gain, and either being organized or commercially domiciled in California, or having California sales that exceed $757,070 (2025 threshold) or 25% of total sales

This is a wide net. It captures major US multinationals, large private companies, and foreign companies with a significant California footprint — not just publicly listed entities. If your company has material revenue from California customers or meaningful California-based operations and exceeds the $500 million threshold, you are very likely in scope.

There is no industry exemption. SB261 applies across sectors: manufacturing, retail, technology, logistics, financial services, agriculture, real estate, and beyond. Exemptions are limited to nonprofits, certain government entities, and entities whose only California activity is teleworking employees.

Key Compliance Dates

A note on SB261 enforcement: In November 2025, the Ninth Circuit granted an injunction pausing enforcement of SB261 while a First Amendment challenge — brought by the US Chamber of Commerce and others — proceeds on appeal. Oral argument took place in January 2026. As of mid-2026, no decision has been issued. CARB has stated it will not enforce SB261 while the injunction remains in place and will establish a new compliance deadline after the appeal is resolved.

Companies should not treat this as a signal to stop preparing. If the injunction is lifted, CARB is expected to move quickly to set a new reporting date. Many companies are already preparing disclosures consistent with the statute to avoid being caught flat-footed.

Reports, when required, must be publicly available on the company's website, with the URL submitted to a public CARB docket.

What Does a SB261 Climate Risk Report Actually Require?

The statute requires companies to prepare a climate-related financial risk report that is consistent with the recommended framework and disclosures of the TCFD. This is the central requirement, and unpacking what that means is where most compliance planning needs to focus.

TCFD-Aligned Disclosure: The Four Pillars

1. Governance Describe how the board and senior management oversee climate-related risks and opportunities. This includes the governance structures, roles, and processes in place — not just a general statement that climate is on the board's agenda.

2. Strategy Describe the actual and potential impacts of climate-related risks and opportunities on the business, strategy, and financial planning. This section should cover both physical risks (floods, wildfires, heat stress, drought) and transition risks (regulatory changes, carbon pricing, technology disruption, shifting customer demand).

Critically, the TCFD framework expects companies to describe their strategy under different climate scenarios, including a scenario consistent with limiting warming to 2°C or below. For many companies, this is the most technically demanding element of the report.

3. Risk Management Describe the processes used to identify, assess, and manage climate-related risks — and how these are integrated into the company's overall risk management framework.

4. Metrics and Targets Disclose the metrics used to assess climate-related risks and opportunities, GHG emissions (to the extent material and relevant), and any targets the company has set in relation to climate risk management.

Physical and Transition Risk Coverage

SB261 does not specify which physical or transition risks must be disclosed — but a credible, audit-ready report should address both categories with specificity relevant to the company's operations.

Physical risks may include:

  • Acute events: flooding, wildfire, extreme heat, hurricanes, drought
  • Chronic shifts: sea level rise, changing precipitation patterns, rising average temperatures affecting operations or supply chains

Transition risks may include:

  • Policy and regulatory: carbon pricing, emissions regulations, product standards
  • Technology: disruption from clean energy or low-carbon alternatives
  • Market: shifts in customer preferences or commodity pricing
  • Reputational: exposure to litigation, activism, or stakeholder scrutiny

For California-based businesses in particular, physical risks such as wildfire and water scarcity are highly material and should receive substantive treatment, not just a generic acknowledgment.

A note on opportunities: while the TCFD pillars above reference both risks and opportunities, SB261's statutory text is framed entirely around risk, and CARB's own guidance confirms the statute "allows but does not mandate" disclosure of opportunities. In practice, this functions as a soft expectation rather than a hard requirement. CARB's supplemental guidance and reporting checklist do reference opportunities consistent with TCFD's structure, and companies that omit opportunities should consider disclosing that omission rather than ignoring the topic. Most credible reports address both, but a company focusing narrowly on risk is not technically out of compliance.

What About SB253?

While SB261 remains in legal limbo, SB253 continues to move forward, with one recent adjustment. In February 2026, CARB formally adopted its initial implementing regulations, and on June 24, 2026, CARB announced it intends to defer the first-year Scope 1 and 2 reporting deadline from August 10 to November 10, 2026, to allow time for limited clarifying changes to the regulation. The deferral is proposed, not yet final, pending a 15-day comment period and Office of Administrative Law approval, but companies should treat November 10 as the working target. The regulations otherwise confirm: 

  • Companies with $1 billion or more in annual revenue doing business in California must report Scope 1 and Scope 2 emissions by the proposed November 10, 2026 deadline (deferred from August 10) 
  • The applicable fiscal year depends on when the entity's FY ends: companies with FY ending on or before February 1, 2026 report FY25–26 data; those with FY ending after that date report FY24–25 data
  • For 2026, CARB will not require a standardised reporting template and limited assurance is not required
  • CARB has confirmed it will exercise enforcement discretion for good-faith first-year submissions — but companies that are not collecting data are expected to submit a statement confirming this on company letterhead
  • Scope 3 reporting begins in 2027, with the specific framework still in pre-rulemaking. CARB is considering three approaches: broad applicability across all 15 GHG Protocol categories, a sectoral phase-in, or a category-based phase-in starting with the most commonly reported categories
  • Fees will be invoiced in September 2026; each covered subsidiary is assessed a fee even when reporting is consolidated at parent level

Companies preparing for SB253 are well-advised to develop their SB261 disclosures in parallel — the underlying risk assessment work is substantially the same.

How SB261 Relates to Other Frameworks

One of the most common questions from sustainability leaders managing multiple reporting obligations is how SB261 fits within the broader disclosure landscape.

New York Is Watching

Companies with significant New York operations should also track New York's Climate Corporate Data Accountability Act (S9072A), which passed the State Senate on February 10, 2026 and is now before the Assembly. It is modeled on California's SB253 (not SB261) and would require companies with over $1 billion in annual revenue doing business in New York to report Scope 1 and 2 emissions from 2028 and Scope 3 from 2029, with phased third-party assurance requirements. It remains pending, not enacted. Companies already building SB253 compliance infrastructure are well positioned to extend it to New York if and when it passes.

Enforcement and Penalties

SB261 is enforced by the California Air Resources Board (CARB). The law provides for civil penalties of up to $50,000 per reporting year for non-compliance. SB253 carries higher penalties of up to $500,000 per year, with a Scope 3 safe harbour for disclosures made in good faith with a reasonable basis.

Importantly, companies are not penalised for the content of their disclosures — the requirement is to publish a report, not to achieve a particular risk profile. What regulators and, increasingly, litigation risk will focus on is whether disclosures are materially misleading or inconsistent with what the company knows about its risk exposure.

This is a meaningful distinction. A company that publishes a disclosure stating it has assessed its climate risks and found them immaterial, without having conducted a genuine risk assessment, is exposed to greater legal and reputational risk than one that discloses significant risks with appropriate methodology and context.

Common Mistakes Companies Are Making

Treating the injunction as a permanent reprieve. SB261 enforcement is stayed, not cancelled. The Ninth Circuit could issue its decision at any time, and CARB is expected to move quickly to set a new compliance date once the appeal is resolved. Companies that have done nothing will face a very compressed timeline.

Treating this as a legal and compliance exercise rather than a strategy exercise. The most defensible SB261 disclosures are those rooted in a genuine assessment of how climate risk affects the business. Disclosures prepared purely to tick a box tend to be vague, inconsistent with what management actually knows, and difficult to defend if challenged.

Failing to conduct scenario analysis. The TCFD framework's scenario analysis requirement is frequently the most under-developed element of disclosures. A credible report should reference the specific scenarios used (e.g., IEA Net Zero by 2050, IPCC RCP2.6, RCP8.5), the time horizons assessed, and what the analysis revealed about strategic resilience.

Underrepresenting transition risk. Companies with large California operations in sectors subject to energy regulation, carbon pricing exposure, or consumer-facing reputational risk often focus almost entirely on physical risk. This creates a skewed disclosure that may not reflect the company's actual risk profile.

Inconsistency across disclosures. Large companies that produce TCFD reports, annual reports, SEC filings, and now SB261 reports need to ensure the climate risk narratives across these documents are consistent. Contradictions between documents create legal exposure.

Not building a repeatable process. SB261 requires biennial reporting. A company that treats the first report as a one-time consulting project will find itself scrambling again in two years, with the additional complication that year-two disclosures will be compared to year-one for consistency and progress.

What a Strong SB261 Report Looks Like

The best SB261 disclosures share several characteristics:

  • Specificity over generality. They name actual assets, geographies, or business units exposed to climate risk — not just categories of risk in the abstract.
  • Scenario analysis with named scenarios and clear methodologies. Readers can see which scenarios were used, why they were chosen, and what the analysis found.
  • Financial materiality framing. Risks are connected to potential financial impacts: revenue exposure, cost increases, asset impairment, capital expenditure requirements.
  • Consistent with the company's internal risk view. The disclosure aligns with what the board and management are actually discussing, not a sanitised external version of it.
  • An auditable evidence trail. Data sources, methodologies, and assumptions are documented and available to support external assurance.

Getting Practical: Building the SB261 Report

For most organisations, the practical workflow for a TCFD-consistent, SB261-compliant climate risk report involves several key steps:

  1. Identify all relevant physical and transition risks for your specific operational footprint, value chain, and sector.
  2. Conduct scenario analysis against at least two contrasting climate pathways — a transition-aligned scenario (e.g., IEA Net Zero 2050) and a higher-warming scenario (e.g., IPCC 3°C+).
  3. Assess materiality and prioritise risks for disclosure.
  4. Quantify financial exposure where methodology allows.
  5. Document governance and risk management processes in a way that reflects actual practice.
  6. Prepare a public-facing report that is clear, accessible, and complete.
  7. Publish on the company's website and submit the URL to CARB's public docket once a new reporting deadline is established.

Technology plays an important role in making this process repeatable and auditable. Climate risk assessment software can automate the mapping of physical and transition risks to operational locations, model financial impacts under multiple scenarios, and generate disclosure-ready outputs — replacing what would otherwise require significant consultant engagement and manual effort.

The Bottom Line

SB261 is California setting a standard that will influence disclosure norms well beyond its borders. The Ninth Circuit injunction has delayed the first reporting deadline, but it has not changed the underlying trajectory. CARB is continuing to build out its implementation programme, the appeal will resolve, and a new deadline will be set.

In the meantime, SB253 is live, and its first-year deadline for Scope 1 and 2 emissions, recently deferred by CARB from August 10 to a proposed November 10, 2026, is still approaching fast. Companies that approach both laws as a genuine risk assessment exercise — not a compliance checkbox — will produce disclosures that hold up over time. Those that wait for legal certainty before starting will find themselves re-doing the work under more scrutiny and in less time.

Socialsuite's Climate Risk Assessment and Scenario Analysis module is purpose-built for TCFD, SB261, IFRS S2, and ASRS S2 compliance. Automated physical and transition risk assessment, multi-scenario modelling, and disclosure-ready reporting in one platform.

Dr. Tim Siegenbeek van Heukelom
Chief Impact Officer
Article Contents
See all Articles

Recent articles

Ready to maximize your organization’s impact?

Whether it’s a public company, a private company, or a charity, Socialsuite has the right solution for you.