EU Sustainability Omnibus I – “Detailed Omnibus” Adopted: What the Final CSRD/CSDDD Deal Means for Companies

Introduction

The EU institutions have now concluded the first “Sustainability Omnibus” legislative package (“Omnibus I”) amending the Corporate Sustainability Reporting Directive (“CSRD”) and the Corporate Sustainability Due Diligence Directive (“CSDDD”). The European Parliament approved the compromise text on December 16, 2025, following the Council–Parliament agreement reached in early December.

As we flagged in our earlier alerts (EU Sustainability Developments Unpacked: European Parliament Confirms Moderated Position on Corporate Due Diligence and Reporting Rules, EU Sustainability Reporting Unpacked: Latest Developments on the Omnibus Package and ISSB Interoperability, Current developments in ESG obligations in the EU: Omnibus Regulation and EU Deforestation Regulation, and Shifting Sands of EU ESG Reporting Compliance), the direction of travel has been consistent: fewer companies in scope, later and lighter obligations, and explicit “anti-trickle-down” protections for smaller value-chain counterparties—combined with targeted procedural changes intended to make compliance more operationally feasible for those that remain in scope.

Below we highlight the main takeaways from the final deal and what to do next.

1. Big picture: a “largest-companies-first” sustainability framework

The political headline is a deliberate narrowing of mandatory requirements to the largest companies:

• CSRD reporting is now targeted at companies with >1,000 employees and >€450 million net annual turnover (with corresponding rules for certain non-EU groups).
• CSDDD due diligence is limited to “very big” companies with >5,000 employees and >€1.5 billion net annual turnover, with application deferred until July 2029.

This is not simply “stop-the-clock” timing relief; it is a structural shift in who is regulated and how EU sustainability obligations are expected to cascade through groups and value chains.

2. CSRD

2.1 Scope materially narrowed, including for non-EU groups

A. New EU scope thresholds

CSRD sustainability reporting is now required only for EU companies (and certain issuers/groups) meeting both thresholds: (i) >1,000 employees (down from the 1,750 proposed by EU Parliament in its negotiating position) and (ii) >€450 million net turnover.

This is a significant departure from the prior “two-out-of-three” test (employees/turnover/balance sheet) and will remove many “high-turnover, low-headcount” businesses from mandatory CSRD reporting.

B. Non-EU (“Article 40a”) reporting: higher EU turnover + higher EU presence thresholds

For third-country groups, the agreed approach is also more restrictive: the trigger is >€450 million net turnover generated in the EU (for each of the last two consecutive financial years) and an EU subsidiary or branch with >€200 million net turnover.

C. Exemption of financial holding companies and large stock-listed subsidiaries

Financial holding companies, i.e., companies that are not involved in the management of their subsidiary companies, will be exempt from CSRD reporting obligations.

In addition, while subsidiaries that were included in the consolidated CSRD reports of their parent companies could generally opt out of CSRD reporting, this exemption did not apply to large subsidiaries that were listed on an EEA-regulated market. This “counter-exception” has now been deleted, meaning that large stock-listed subsidiaries are exempt from CSRD reporting if they are included in their parent’s consolidated CSRD reports.

D. “Wave one” transition relief for companies dropping out of scope

Member States may introduce a transition exemption for companies that started reporting from FY2024 (the “wave one” cohort) that will fall out of scope under the new thresholds—addressing a key edge case where companies could otherwise face a short reporting “sprint” followed by an exit.

The details will still need careful tracking at Member State level, including any optional exemptions and how national laws handle potential transitions.

2.2 “Anti-trickle-down” protections become statutory (the value-chain cap)

One of the most consequential operational changes is the creation of a statutory “value-chain cap” protecting companies in the reporting entity’s value chain with up to 1,000 employees (“protected undertakings”) from disproportionate ESG information requests.

Key elements of the final mechanism include:

• Self-declaration: Reporting companies may rely on a self-declaration from value-chain counterparties to determine whether they are protected undertakings, without further verification (absent clear reason to doubt).
• Hard limit on information requests: Reporting companies are prohibited from requiring protected undertakings to provide information beyond specified limits aligned with voluntary reporting standards.
• Statutory right to refuse: Protected undertakings should be given a legal right to decline to provide information exceeding those limits, and reporting companies must inform them of that right when requesting “extra” information.
• Deemed compliance: Reporting companies that comply with the cap are deemed to satisfy the obligation to report value-chain information, including through estimates where needed.

This is the EU putting real “teeth” behind the policy objective of preventing sustainability reporting from becoming a backdoor regulation of smaller suppliers and business partners.

2.3 ESRS: sector-specific standards dropped; “core ESRS” to be substantially revised

Two points from the final Omnibus I are particularly important for reporting strategy:

A. Sector-specific ESRS: no longer mandated

Omnibus I removes the Commission’s empowerment to adopt mandatory sector-specific European Sustainability Reporting Standards (“ESRS”), in order to avoid increasing the number of required datapoints.

B. Core ESRS revision: substantial reform promised

Omnibus I anticipates a fast-track revision of the existing ESRS, focusing on (among other things) removing less important datapoints, prioritizing quantitative datapoints, clarifying the materiality principle, and improving coherence with other EU regimes.

For companies remaining in scope, this reinforces a practical message: build a reporting system that is robust but modular, because the datapoint architecture is likely to change.

2.4 CSRD assurance: more time for limited assurance standards; “reasonable assurance” removed

Two assurance changes in Omnibus are notable:

• The deadline for the Commission to adopt limited assurance standards is postponed to July 1, 2027.
• The requirement for the Commission to move toward reasonable assurance standards is removed (explicitly framed as a cost-control measure).

This should reduce near-term assurance escalation risk and gives companies more runway to stabilize governance and controls before assurance expectations harden.

2.5 Digital enablement: EU portal for reporting support

Omnibus I introduces a new “digital support” chapter requiring the Commission to provide a dedicated portal for sustainability reporting, giving access to information, guidance, templates, and support for both mandatory and voluntary reporting.

While this is not a compliance obligation in itself, it is a signal that the EU expects the “new normal” to include standardized digital tooling and interoperability, rather than bespoke, manual reporting exercises.

3. CSDDD

3.1 Scope narrowed to “very big” companies, with scoping + prioritization as central design features

A. New thresholds and timing

The revised CSDDD applies only to companies with >5,000 employees and >€1.5 billion net turnover, with compliance applying from July 26, 2029 (and transposition into Member State law by July 26, 2028).

B. Risk-based due diligence anchored in a “scoping exercise”

The final text explicitly builds due diligence around a scoping approach:

• Companies carry out a scoping exercise (based solely on reasonably available information) to identify general areas where adverse impacts are most likely and most severe. In line with the Parliament’s negotiation position, both direct and indirect business partners will be part of the scoping (unlike the EU Commission and Council positions, which wanted to limit the risk analysis to direct business partners).
• They then perform in-depth assessment focused on those priority areas.

C. Prioritization and information requests (including “smaller partner” protections)

Omnibus I contains multiple controls designed to limit burdens on smaller business partners:

• Information requests must be necessary, and for partners with fewer than 5,000 employees, information should only be requested when it cannot reasonably be obtained by other means.
• Where information can be obtained from different partners, companies should prioritize requests directly from the business partner where impacts are most likely to occur; and where impacts are equally likely/severe, companies may prioritize assessing areas involving direct business partners.

These are practical levers that—if used thoughtfully—should make due diligence programs more targeted and defensible.

3.2 Climate transition plans: removed from CSDDD

A major political compromise is that the obligation to adopt a climate transition plan under the CSDDD is removed.

This does not eliminate climate expectations elsewhere (including through investor pressure, financing conditions, and sectoral requirements), but it does remove one of the CSDDD’s most debated “boardroom-facing” elements. In addition, obligations to report on climate transition plans under CSRD will remain in force.

3.3 CSDDD liability and penalties: EU harmonized liability regime removed; penalties capped at 3%

Two final-agreement points are particularly relevant for litigation risk and enforcement exposure:

• Removal of the EU-harmonized civil liability regime and the “overriding mandatory” application requirement, replaced with a review clause on whether EU harmonization is needed.
• Penalties are subject to a maximum cap of 3% of net worldwide turnover, with Commission guidance contemplated to support calibration.

In short: liability remains, but it is more clearly channeled through national frameworks, and the EU has stepped back from certain harmonizing moves.

4. What companies should do now

Even with narrower scope, the practical message for many multinational groups is not “stand down,” but “re-calibrate.”

Step 1: Re-run scoping based on the final thresholds

• Confirm whether you remain in scope of CSRD (>1,000 employees + >€450 million turnover) and/or CSDDD (>5,000 employees + >€1.5 billion turnover).
• For non-EU groups, reassess whether EU turnover and EU presence thresholds trigger reporting.

Step 2: If in scope, shift to “lean but audit-ready” data and controls

• Build around likely ESRS simplification and the removal of sector-specific ESRS by prioritizing core data architecture and materiality discipline, rather than a maximalist datapoint approach.
• Track assurance developments: limited assurance standards by July 1, 2027, and no “automatic” move to reasonable assurance.

Step 3: Use the new “anti-trickle-down” rules to reset supplier engagement

• Update supplier questionnaires/contractual ESG data clauses to reflect the value-chain cap and the statutory refusal right for protected undertakings.
• Align procurement and sustainability teams so requests are consistent, targeted, and defensible.

Step 4: For CSDDD in-scope companies, design around scoping + prioritization

• Document your scoping exercise and prioritization logic early—these will be central to showing that your program is “risk-based” as intended.
• Review termination/suspension playbooks: the text contains “last resort” mechanics and safe‑harbor-like concepts when an enhanced action plan is reasonably expected to succeed.

Step 5: Monitor “what’s next”

• The Omnibus I directive enters into force 20 days after publication in the Official Journal of the EU, but will not become directly operational for companies until implemented by Member States.
• Implementation details will still depend on Member State transposition and regulatory guidance, including Commission guidance on penalties and model clauses.

5. Conclusion

The final Omnibus I text marks a decisive EU shift from broad-based sustainability regulation toward a concentrated model aimed at the largest companies, while trying to preserve policy objectives through risk-based due diligence, simplified reporting, and explicit protections for smaller value-chain counterparties.