AUTHORS
Tax transparency has moved from the back office to the front page.
Over the past decade, the way multinational enterprises (MNEs) report where they earn profit and where they pay tax has shifted from a confidential exchange between tax authorities to something increasingly placed in front of the public, particularly in Europe and Australia.
Public country-by-country reporting (Public CbCR) differs significantly from the confidential OECD framework most large groups already know. For the first time, sensitive financial and tax information that was once shared privately with revenue agencies is being published on government websites and corporate registers for competitors, journalists, investors and campaigners to read.
Furthermore, because Public CbCR has been introduced through national legislation rather than a single global standard, the rules are being implemented differently across the major jurisdictions that have adopted them.
This means that a group with operations in Australia and several European countries cannot assume one report satisfies everyone.
How is Public CbCR different from previous regimes?
The starting point for most MNEs is the OECD's Base Erosion and Profit Shifting (BEPS) Action 13 framework, which introduced confidential country-by-country reporting for groups with consolidated revenue of at least €750m. Under that regime, a group files a single report with its home tax authority, which then exchanges it automatically with the tax authorities of other countries where the group operates. The data is used to assess transfer pricing and profit-shifting risk, and it stays within the revenue agencies.
Public CbCR keeps the same broad €750m (or local-currency equivalent) revenue trigger and much of the same data: revenue, profit before tax, tax accrued and paid, employee headcount, and a description of activities, but changes the audience. The report, or a defined subset of it, is made publicly available. That means groups must think about how the numbers will read to an outside audience who may not understand the commercial context behind them.
Two broadly parallel regimes have emerged. Australia introduced its own Public CbCR rules through domestic legislation. The European Union introduced a regime through Directive (EU) 2021/2101, which amends the EU Accounting Directive (2013/34/EU) and which each member state has had to transpose into its own national law. These two tracks share a common philosophy but diverge in important ways, and even within the EU, the national transpositions are far from uniform.
The Public CbCR framework
Australia
Australia's Public CbCR rules apply to income years commencing on or after 1 July 2024, applying in addition to the existing confidential CbCR framework. They layer on additional reporting and public disclosure, and there are several features that distinguish them from both the OECD rules and the European approach:
- Who files? The obligation rests with the CbCR parent (including a foreign-headquartered parent) rather than the local Australian taxpayer. As a result, an offshore parent that has never dealt directly with the Australian Taxation Office (ATO) may now carry a direct Australian filing obligation.
- Who is in scope? The familiar AUD $1bn annual global income threshold applies, but Australia adds a materiality test: a group is only caught if its aggregated Australian-sourced turnover for the income year is AUD $10m or more. Groups without a meaningful economic footprint in Australia therefore fall outside the net.
- Filing mechanics. The CbCR parent must register with the ATO and submit the form in the required format with the ATO. The ATO publishes the information on a government website (Data.gov.au), making it freely accessible to the public.
- A consolidated-statements data source. The regime generally requires information to be derived from, and capable of reconciliation to, the consolidated financial information of the group. Groups that do not already prepare consolidated accounts may have additional work to do, and the reported figures must reconcile to the audited consolidated financials.
- A broad list of named jurisdictions. Financial, tax and headcount data must be reported separately for Australia and for a list of “specified jurisdictions.” That list currently runs to 40 jurisdictions, including Singapore, Switzerland and Hong Kong, which is far broader than the roughly one dozen “non-cooperative” jurisdictions the EU singles out. Data for all other jurisdictions can be aggregated, unless the group voluntarily chooses to disaggregate.
- A tax-approach statement. Groups must include a narrative statement describing their approach to tax, including explanations of any discrepancy between the tax expense and the headline rate in a jurisdiction. Groups may wish to consider the principles reflected in GRI 207 when preparing these disclosures.
- Significant late filing penalties. The report is due within 12 months of the end of the reporting period. For a 30 June 2025 year end, the first report is due by 30 June 2026; for a 31 December year end, by 31 December 2026. Penalties for late filing are severe and can reach AUD $910,000 after four months, and material errors discovered after publication must be corrected within a short window.
- Discretionary exemptions only. The ATO's Practice Statement Law Administration PS LA 2025/2 governs exemptions, which are at the Commissioner's discretion and expected to be granted only in “exceptional circumstances.” For example, where disclosure would breach the law of another jurisdiction or expose genuinely commercially sensitive information likely to cause severe harm. Groups are encouraged to register with the ATO early and not to count on an exemption.
The practical message in Australia is to assess scope carefully, get data and reconciliation processes in order, consider running a market-sensitivity analysis before the numbers go public, and treat exemptions as a long shot rather than a fallback.
Europe
Directive (EU) 2021/2101 entered into force on 21 December 2021. Member states were required to transpose it by 22 June 2023, and the rules apply, at the latest, for financial years beginning on or after 22 June 2024. For the many groups that report on a calendar year, that means 2025 is the first reporting year, with the first reports generally due by the end of 2026.
The core EU features are:
- A €750m consolidated revenue threshold met in each of the last two consecutive financial years, capturing both EU-parented groups and non-EU groups with qualifying EU subsidiaries or branches.
- Disclosure on a disaggregated basis for each EU and EEA member state and for each jurisdiction on the EU's list of non-cooperative (“black”) or grey-listed jurisdictions, with all other third countries permitted to be aggregated into a single ‘“rest of world’” figure.
- A 12-month publication deadline, with the report filed in the relevant commercial or business register and, in principle, published on the company's website for at least five years.
- A ‘“safeguard clause’” allowing member states to let companies temporarily omit commercially sensitive information (for up to five years), except for data concerning non-cooperative jurisdictions.
- A ‘“website exemption’” option that member states may offer, allowing a company to rely on a free, publicly accessible register rather than publishing on its own website (provided the website links to the register).
- A move to a common electronic template in xHTML with inline XBRL (iXBRL) tagging, under Commission Implementing Regulation (EU) 2024/2952.
- A requirement for auditors to confirm whether a company was in scope and whether the report was published.
Because these are options and minimum standards, the member states have made different choices. That is where the real complexity lies for groups operating across several European countries, especially for non-EU-headquartered groups, which can face an obligation in each member state where they have a qualifying presence.
Implementation nuances by country
The table below summarises the headline differences; the commentary that follows draws out what each one means in practice in Australia, and some of the larger European jurisdictions.
| Jurisdiction | Implementing law | Filing deadline | Safeguard / omission clause | Website exemption | Notable local twist |
|---|---|---|---|---|---|
| Australia | Domestic legislation (TAA 1953); royal assent Dec 2024 | 12 months | No general clause; discretionary exemptions only (PS LA 2025/2) | N/A (ATO publishes) | 40 specified jurisdictions; AUD 10m materiality test; tax-approach statement |
| France | Ordinance of 22 June 2023; Decree 2023-493 + Decree 2024-152 | 12 months | Yes (up to 5 years) | No | Higher branch threshold (€15m); French translation and certification |
| Germany | Federal legislation, June 2023 | 12 months | Yes, but reduced to 4 years | Yes | Generous in-scope size criteria; max fine €250,000 |
| Italy | Legislative Decree No. 128 of 4 Sept 2024 | 12 months | Not adopted | No, both register and website required | Cannot omit sensitive data; option to publish full CbCR; director penalties €10k-50k |
| Netherlands | Implementation Act (Dec 2023) + Decree (Feb 2024) | 12 months | Yes (5 years) | No, both register and website required | Possible director liability for non-compliance |
| Spain | Law 28/2022 (the ‘“Startup Law’”) | 6 months | Yes (up to 5 years) | No (register + website) | Markedly shorter deadline than the Directive; applies only to Spanish-law ultimate parents; EU-parented subsidiaries are not independently obligated under Spanish law (ICAC, BOICAC No. 144/2025) |
Australia is included here for contrast because its regime sits outside the EU Directive entirely. The differences worth keeping front of mind for a group that also reports in Europe are the much wider list of named jurisdictions (40 specified jurisdictions versus the EU's short non-cooperative list), the requirement to source data from consolidated financial statements and reconcile to the audited accounts, the mandatory tax-approach narrative, and the absence of a general safeguard clause.
In Australia, relief depends on a discretionary, narrowly granted exemption rather than a statutory right to omit sensitive information. A group cannot simply repurpose its EU report for Australian purposes; the jurisdictional breakdown and qualitative content differ, as well as the filing mechanics.
France was among the earliest movers, publishing its transposition ordinance in the Official Journal on 22 June 2023 and codifying the rules in the French Commercial Code, with the detail filled in by implementing decrees. The rules apply to financial years beginning on or after 22 June 2024, with a 12-month filing deadline, and the report must be made available on the company's website free of charge for five years.
Two French-specific points are worth noting. First, France set the net-turnover threshold for branches at €15m, higher than the €8m used as the floor in the Directive, which narrows the population of branches caught. Second, the report must be filed with the commercial court registry and, where necessary, translated into French and certified. France adopted the safeguard clause, allowing publication of seriously prejudicial information to be deferred for up to five years (other than for non-cooperative jurisdictions). For groups used to publishing in English, the translation and certification requirement is an easily overlooked administrative step.
Germany's implementation, finalised in mid-2023 and applicable for financial years beginning on or after 22 June 2024, is widely regarded as business-friendly, and it diverges from the Directive in a few telling ways. Germany applies relatively generous size criteria when testing whether a non-EU or non-EEA parented group is in scope. For instance, German subsidiaries of such non-EU or non-EEA parented groups are in scope only if they meet at least two of the following three criteria:
- total of assets in the balance sheet above €7.5m
- turnover in the last twelve months before balance-sheet date above €15m,
- yearly average of employees above 50.
Germany also adopted the website exemption, meaning an in-scope entity can satisfy its publication obligation through the company register without separately publishing on its own website, provided the register access is free and open and the entity states on its website for at least five years that the report can be found on the register’s s website free of charge and that, for this reason, the obligation to publish the report on the website is not applicable.
Against those accommodating features, Germany made two choices that point the other way. It shortened the safeguard clause: commercially sensitive information can be omitted for four years rather than the Directive's five. And it set the maximum fine for non-compliance at €250,000, a figure high enough to signal that enforcement is to be taken seriously, although the fine is not automatic and the ceiling would only be reached in extreme cases. The net effect is a regime that is comparatively easy to comply with mechanically but that should not be treated casually.
Italy transposed the Directive through Legislative Decree No. 128 of 4 September 2024, published in the Official Gazette in mid-September 2024, applying to financial years beginning on or after 22 June 2024 with a 12-month filing deadline and filing with the Chamber of Commerce (Registro delle Imprese). Crucially, Italy did not take up the website exemption: the report must both be deposited with the Chamber of Commerce and published, on the company’s own website, where it must remain available for five consecutive years.
On its core content, Italy stayed close to the Directive - it did not add extra data points or impose a shorter deadline as Spain did. From a practical point of view the data relating the Public CbCR will have to be filed to the Chamber of commerce by using a specific electronic format called XBRL and digitally signed.
Italy's defining choice, however, runs in the opposite direction to most of its neighbours: it did not adopt the safeguard clause. That means Italian-reporting entities cannot temporarily omit commercially sensitive information from the report, even where disclosure could harm their commercial position - a materially stricter position than Germany, France or the Netherlands, all of which allow deferral. To ease the compliance burden in other respects, Italy opted to let groups follow the reporting instructions used for the confidential exchange of CbCR information (under Directive 2016/881), and it allows a group to choose to publish the entire CbC report rather than only the prescribed subset. Penalties fall on the Italian directors and generally range from €10,000 to €50,000. Those figures are not fixed: the penalty is halved where the report is deposited within sixty days of the deadline and doubled where the report filed with the Company Register contains untrue material facts or omits material information the decree requires. A deposit made more than sixty days late is treated as a failure to file altogether.
For groups with genuinely sensitive data, Italy is the jurisdiction where the absence of a safeguard valve bites hardest, and that may influence which European entity a group selects to discharge its obligation.
Eventually Italy provided for a further limitation to the obligations to draft the Public CbCR for subsidiaries owned by a non-EU ultimate parent undertaking where the ultimate parent undertaking prepares a report on income tax information equivalent to that provided for under this framework, meeting simultaneously additionally specific requirements:
the report states the name and registered office of the Italian subsidiary and is made accessible to the public free of charge on the website of the non-EU ultimate parent undertaking as well as on the website of the Italian subsidiary, within 12 months of the closing date of the relevant financial year and it is drawn up in at least one of the official languages of the European Union, including English;
the management of the Italian subsidiary has anyway to comply with the publication and filing obligations with the Companies Register where the entity has its registered office.
The Netherlands transposed the Directive through an implementation act in December 2023 and an implementing decree in February 2024, and the Dutch provisions are largely faithful to the Directive's text. The Netherlands adopted the safeguard clause, allowing omission of seriously prejudicial information for up to five years.
The distinguishing Dutch feature is the publication mechanics. The Netherlands did not take up the website exemption: an in-scope group must both file the report in the Dutch Trade Register and publish it on its website, within twelve months of the financial year end, and keep it available on the website for at least five years. There is therefore no “register-only” shortcut in the Netherlands. Compounding the seriousness, non-compliance can expose directors to liability in addition to penalties, which raises the stakes for governance and sign-off processes. Groups that planned to rely on a register filing alone elsewhere in Europe need to remember that the Dutch route requires the website step as well.
Spain stands out for one reason above all others: timing. Spain transposed the Directive through Law 28/2022 (widely known as the “Startup Law”), which amended the Spanish audit law, and it set a publication deadline of six months after the balance sheet date rather than the Directive's standard twelve. The report must be filed with the Commercial Register (registro mercantil) in machine-readable iXBRL format alongside the annual accounts and also made freely accessible on the company's website for at least five years. For 2025 year-ends, this is the first reporting year for many groups.
The six-month deadline applies only where the ultimate parent of the group is itself subject to Spanish law. Where the ultimate parent is domiciled in another EU Member State (for example, Italy, France or Germany) the reporting obligation falls on that parent under the law of its home Member State, and the Spanish six-month clock does not run against the Spanish subsidiary. This has been confirmed by Spain's accounting and auditing regulator (ICAC) in its published consultation BOICAC No. 144/2025 (Consulta 5), which addressed precisely this scenario: a Spanish subsidiary of an Italian-parented group is not an “obligated entity” under Spanish law, and may file its annual accounts in the Spanish Commercial Register without any requirement to publish a CbCR report of its own. The Spanish subsidiary's position is governed by the parent's home-country timetable – in the Italian case, twelve months.
The six-month deadline does, however, should have a knock-on effect for non-EU-headquartered groups that satisfy their EU obligation by designating a Spanish entity as the publishing entity. In that scenario, the Spanish timetable effectively governs the whole exercise: the practical deadline for the group's EU disclosure becomes six months rather than twelve, even where other member states such as Germany allow the longer period. Groups should map carefully which entity in which country actually discharges the obligation, because the choice of publishing entity can move the headline deadline forward by half a year.
What the divergence means in practice
For a group operating across these six jurisdictions, three themes emerge.
- First, there is no single “European report.” The Directive sets a floor, but deadlines, branch thresholds, safeguard rights, publication channels and penalties all vary by country. A group must understand, for each jurisdiction where it has a qualifying presence, which entity carries the obligation and under which national rules.
- Second, the choice of reporting entity has consequences. Where a non-EU-parented group can satisfy its EU obligation through a designated subsidiary, that decision can determine the deadline (Spain's six months versus Germany's twelve), whether sensitive information can be withheld (Italy's no-safeguard position versus the others), and the publication mechanics (the Netherlands' dual filing requirement versus Germany's register-only option). These are strategic choices, not mere administration.
- Third, consistency is its own risk. The same group may publish overlapping data sets in Australia, the EU and through its confidential CbCR and Pillar Two filings. Discrepancies between these (different jurisdictional groupings, different data sources, different definitions) invite questions from tax authorities and outside observers alike. Reconciling the figures across regimes before anything is published is now an essential part of the process.
Preparing now
Whether the obligation arises in Australia, Europe or both, the practical steps are similar. Confirm whether the group is in scope under each applicable regime, including the local thresholds and materiality tests. Review the readiness of the data-collation process and how it aligns with data already gathered for confidential CbCR and Pillar Two.
Decide which entity will report where, with the deadline, safeguard and publication implications of that choice clearly understood. Consider a market-sensitivity analysis before publication, and weigh whether to publish additional voluntary context so that the bare numbers are not read without explanation. And build in time for sign-off, translation and certification where local rules require them.
Further details
For further details on Public CbCR, please contact your usual RSM adviser or any of the following:
RSM Australia: Liam Delahunty, Liam.Delahunty@rsm.com.au
RSM France: Maxime Aguenaou, Maxime.Aguenaou@rsmfrance.fr
RSM Ebner Stolz, Germany: Christian Zimmermann, Christian.Zimmermann@ebnerstolz.de
RSM Italy: Guido Pignanelli, Guido.Pignanelli@rsm.it
RSM Netherlands: Juan Dosal, JDosal@rsmnl.nl
RSM Spain: Jaime López, JLopez@rsm.es