CSRD Omnibus 2026: What Changed and What It Means
The EU...................................................................................................................................... just ran the biggest retreat in sustainability regulation history. The Omnibus Simplification Package — formally adopted and moving through implementation — cut the number of companies required to report under CSRD from approximately 50,000 to roughly 5,000. That's a 90% reduction in mandatory reporters in a single legislative move.
If you've been building toward CSRD compliance, or selling tools that help companies comply, this changes your calculus significantly. Here's what actually happened, who's still in scope, and what the supply chain angle means for the broader market.
What the Original CSRD Said
The Corporate Sustainability Reporting Directive as enacted in 2023 applied to:
- Large companies already subject to the Non-Financial Reporting Directive (NFRD) — roughly 11,700 EU-based companies — with reporting starting for FY2024 (first reports due 2025)
- Other large companies meeting two of three thresholds: 250+ employees, €40M+ net turnover, €20M+ balance sheet — bringing the total to ~50,000 companies — with reporting starting for FY2025 (first reports due 2026)
- Listed SMEs with a phased-in, lighter-touch reporting standard starting FY2026
The mandate required disclosure against European Sustainability Reporting Standards (ESRS), covering climate, biodiversity, social factors, and governance — hundreds of data points per reporting company.
What the Omnibus Package Changed
The Commission's Omnibus proposal, pushed through under pressure from European business lobbies and member states arguing the original scope was unworkable, made three structural changes:
1. The threshold jumped to 1,000 employees
The new primary threshold for mandatory CSRD reporting is 1,000+ employees (up from 250+), with the turnover and balance sheet thresholds adjusted proportionally. This single change eliminates mandatory reporting for the vast majority of mid-market companies that were previously in scope.
Estimated companies now required to report: ~5,000 (down from ~50,000).
2. ESRS datapoints were cut
Even for the 5,000 companies still in scope, the number of mandatory ESRS disclosure points was reduced. Several datapoints were moved from mandatory to voluntary. The practical effect: a large-cap company that was preparing 800+ ESRS disclosures is now looking at a materially smaller mandatory set.
3. The value chain provisions were softened
The original CSRD required large companies to collect sustainability data from their suppliers — this is the mechanism that would have forced sustainability reporting behavior down the supply chain to SMEs. The Omnibus package weakened these provisions, capping what in-scope companies can request from suppliers and limiting audit requirements for supplier-provided data.
Who's Still In Scope
The roughly 5,000 companies still subject to mandatory CSRD reporting are:
- Large publicly listed companies with 1,000+ employees
- Large private companies meeting the 1,000-employee threshold plus revenue/balance-sheet criteria
- Financial institutions — banks, insurers, and asset managers face additional sustainability disclosure requirements under related regulations (SFDR, Taxonomy) that aren't going away
If you're in this group, CSRD compliance isn't optional and the timeline hasn't moved. You still need ESRS-aligned reporting infrastructure.
The Supply Chain Angle: Why the TAM Actually Got Bigger
Here's the counterintuitive take: the Omnibus changes may have expanded the commercial opportunity for ESG software and services.
The 5,000 mandatory reporters still need to collect sustainability data from their supply chains. They just have less regulatory backing to demand it. That shifts the dynamic from "send us this data or we're in breach" to "we'd really like this data and we'll make it worth your while." Large multinationals are now deploying supplier sustainability scorecards, preferred-supplier programs tied to ESG data quality, and direct investment in supplier reporting tools.
SMEs that want to stay on preferred supplier lists for BMW, Unilever, or LVMH are discovering that the customer mandate is functionally equivalent to the regulatory mandate — except now it's opt-in from the buy side. Companies that can demonstrate clean scope 3 data, verified emissions factors, and auditable social metrics are winning contracts. Companies that can't are getting cut.
The net effect: voluntary supply chain sustainability reporting is scaling faster than the mandatory market would have created, with the 5,000 anchors acting as forcing functions across hundreds of thousands of SME suppliers globally.
What Companies Should Do Right Now
If you're one of the ~5,000 in-scope companies:
Don't treat the Omnibus as a reason to deprioritize. The mandatory ESRS disclosure deadline has not been extended for large NFRD companies. Your peers who built automated ESG reporting workflows — data collection pipelines instead of relying on manual spreadsheets — are already ahead. The companies that waited for final regulatory clarity and then scrambled are the ones paying 3x for consultants in year one.
Specific actions:
- Map your ESRS datapoints against what's now mandatory vs. voluntary — the list has changed
- Audit your Scope 3 Category 1 (purchased goods and services) data quality first; it's the largest gap for most manufacturers
- Review your supplier questionnaire process — the softened value chain provisions actually give you an opportunity to redesign what you're asking for and how
If you're a supplier to in-scope companies:
You may have just lost your statutory exemption, but you haven't lost the customer pressure. Large buyers are running their own supplier sustainability programs independent of regulation. Get ahead of the data request before it arrives as an emergency.
If you're building ESG software or services:
The market just bifurcated cleanly: mandatory-compliance products for ~5,000 large companies, and voluntary-but-customer-driven tools for the millions of SMEs in their supply chains. Both are real markets. The second is larger and growing faster.
Automation and SOC2: The Compliance Stack That Makes Sense Together
For companies still in CSRD scope — and for SME suppliers responding to customer-driven ESG requests — the infrastructure investments are clear: automated data collection pipelines, auditable ESG reporting workflows, and access controls that satisfy both sustainability assurance and security audit requirements.
Many companies building toward CSRD compliance are also pursuing SOC2 Type II certification, driven by enterprise customer requirements. The audit-readiness culture, access logging, and change management processes are substantially shared. Building them together is more efficient than sequentially. See our Security & SOC2 Compliance offering alongside our ESG Compliance Engineering practice.
The Bottom Line
CSRD didn't go away. It got concentrated. The 90% reduction in mandatory reporters means the 5,000 that remain have no political cover to delay — and the supply chain pressure they exert means the effective reach of sustainability reporting hasn't shrunk nearly as much as the headline number suggests.
If you're building toward compliance or helping clients navigate this, the fundamentals haven't changed: automate data collection, build auditable trails, and don't wait for the final final final guidance before starting.
Have a CSRD implementation scope you're trying to get right? Book a 15-min scope call — we'll tell you exactly what to automate first.
Related Resources
More articles:
Our solutions: ESG Compliance Engineering · Security & SOC2 Compliance
Glossary:
Comparisons:
Free Tool: See how the 2026 Omnibus changes affect you — check your CSRD readiness in 2 minutes. → CSRD Readiness Calculator