If your company spent 2024 and 2025 preparing for CSRD, the rules you prepared for have changed. On 26 February 2026, the EU published Directive (EU) 2026/470 — the Omnibus I Directive — in its Official Journal, and it entered into force on 18 March 2026. The headline result: the Corporate Sustainability Reporting Directive (CSRD) now reaches roughly 80% fewer companies, and the Corporate Sustainability Due Diligence Directive (CSDDD) has been refocused onto only the largest firms in the world.

This is not a Brussels explainer. It's a translation for the people who have to make a decision this quarter: mid-market sustainability leads and U.S. companies with EU operations who need to know whether they're still in scope, and what to do if they're not.

The short version, from where we sit advising clients through exactly this: a lot of companies just fell out of the mandatory net, and the smart ones are not walking away from the work. Double materiality, supply-chain readiness, and a credible climate plan are good management regardless of what the directive requires.

That's the End of Extraction reading of this moment: the regulation receded, but the underlying business logic didn't.

What are the new CSRD thresholds after the Omnibus?

CSRD now applies only to companies that exceed both 1,000 employees and €450 million in net turnover. That's a dramatic narrowing from the prior regime, which captured companies at 250 employees, €50M turnover, or €25M balance sheet. The change moves the directive from a broad-based reporting mandate to one focused on the largest undertakings.

For non-EU parent companies, the test is different but consequential for U.S. firms: the directive applies to groups generating more than €450M net turnover in the EU, with an EU subsidiary or branch exceeding €200M in net turnover. If you run EU operations from a U.S. headquarters, that branch-level threshold is the number to check first. Listed SMEs, previously the third reporting wave, are now out of mandatory scope entirely.

Who is still in scope, and who just fell out?

The cleanest way to read the new rules is as three groups. Knowing which one you're in tells you what to do next.

Source: Norton Rose Fulbright and Covington analyses of Directive (EU) 2026/470.

When we run a scope check for a client, the surprising result is how many mid-market companies that braced for full CSRD now sit in the third row. That's a relief on the compliance budget and a strategic fork: the directive no longer compels you, but your largest customers and investors increasingly will. We'll come back to why that matters.

A worked example: the U.S. company with EU operations

The non-EU test trips people up because it isn't the same number as the EU test. Picture a U.S.-headquartered manufacturer with €600M of revenue generated inside the EU, run through a single German subsidiary that books €240M of that turnover. Under the EU employee-and-turnover test, a U.S. parent might assume it's out, because it doesn't have 1,000 EU employees. But the non-EU scope test is turnover-based: a third-country group is in scope when it generates more than €450M net turnover in the EU and has an EU subsidiary or branch above €200M. Our example clears both bars (€600M group, €240M branch), so it's in, reporting for financial years beginning in 2028.

Change one variable and the answer flips. Drop the German subsidiary's turnover to €180M, below the €200M branch threshold, and the group falls out of mandatory scope even though total EU revenue is unchanged. That sensitivity is exactly why we tell U.S. clients not to eyeball it. The branch-level number, not the headline group number, is usually the deciding factor, and it's the one finance teams overlook because it never mattered under the old regime.

What changed for CSDDD due diligence obligations?

CSDDD (the due diligence directive, sometimes written CS3D) was narrowed even more sharply than CSRD. It now applies only to EU companies with more than 5,000 employees and €1.5 billion in net worldwide turnover, or to non-EU companies generating more than €1.5B in turnover within the EU. For all but the largest multinationals, the mandatory due diligence regime is now out of reach.

The Omnibus also softened the obligations themselves. The previously mandatory requirement to adopt a Paris-aligned climate transition plan was removed, penalties were capped, and the EU-wide civil liability regime was replaced by national rules. Member States must transpose the CSDDD amendments by 26 July 2028, with application following in 2029.

A caution worth stating plainly: the removal of the mandatory climate transition plan from CSDDD is a compliance change, not a strategy change. Investors, lenders, and large customers still ask for one. Dropping the plan because Brussels no longer demands it would be a governance signal most boards don't actually want to send.

Did double materiality survive the Omnibus?

Yes, and this is the most important thing for sustainability teams to internalize. The Omnibus retained double materiality as the foundational principle of CSRD reporting. What changed is the volume, not the concept: mandatory ESRS datapoints were cut by roughly 61%, from about 1,100 to around 430, with the process clarified and streamlined.

Double materiality means assessing sustainability from two directions: how your company impacts people and the environment (impact materiality, inside-out), and how sustainability issues affect your financial performance (financial materiality, outside-in). It's the analytical core that tells you which issues actually matter to your business rather than which ones are fashionable.

Here's the part the compliance framing misses. A double materiality assessment is good management whether or not you're required to file one. It's how you find the climate, supply-chain, and workforce risks that will show up on your P&L before they show up in a headline. Companies that fell out of CSRD scope but keep running the assessment are making a strategy decision, not a compliance one.

When do the new rules actually bite?

The deadlines matter as much as the thresholds, because they decide whether 2026 is a scramble or a planning year. For most companies still in scope, it's a planning year. The Omnibus sits on top of an earlier "stop-the-clock" delay, and the combined effect pushed first-time reporting out by two years for the companies that hadn't already started.

Here's the practical timeline.

Wave 1 (large listed companies and public-interest entities already covered by the old NFRD) is unchanged: they've been reporting since 2025 on FY2024 data.

Wave 2 — large companies newly in scope — saw first reports postponed from 2026 to 2028, covering financial year 2027, under the revised ESRS.

The original Wave 3 (listed SMEs) is now largely moot, because the Omnibus thresholds push most of those companies out of mandatory scope entirely.

That two-year delay is the gift most teams aren't using well. In practical terms, 2026 becomes a preparation year rather than a reporting year for Wave 2. The smart move is to spend it refreshing your double materiality assessment, cleaning up data pipelines, and confirming scope, rather than treating the reprieve as permission to put the program down. The companies that drift through 2026 will rediscover the deadline in 2027 with the same readiness gap they have today.

On the standards themselves: the Commission is expected to adopt the simplified ESRS Delegated Act before the end of 2026, with the new standards applying from FY2027 and voluntary early application permitted for FY2026. Limited assurance remains the standard; the move to fuller "reasonable" assurance was postponed. For non-EU groups in Wave 4, reporting is due in 2029 for FY2028, on a separate set of standards for third-country companies.

What got cut from the ESRS, and what survived?

The datapoint reduction is the change that most directly affects the people doing the work. Depending on which stage of the EFRAG revision you count, mandatory ESRS datapoints fell by roughly 61% to 70%, from over 1,000 in the original standards to somewhere between 320 and 430. Every previously voluntary datapoint was removed outright. The intent is to concentrate reporting on what's material and drop the long tail of disclosures that produced compliance cost without decision-useful information.

What survived is more telling than what got cut. Double materiality survived. The expectation to report material Scope 3 emissions survived, though it can be more narrowly drawn where it isn't material. The emphasis on judgment and "fair presentation" actually increased: the simplified standards lean harder on materiality as the filter, which means companies have more discretion but also more responsibility to defend their choices to an auditor.

That shift, from box-ticking volume to defensible judgment, is the part worth planning around. Fewer datapoints doesn't mean less rigor; it means the rigor moves from "did you fill in every field?" to "can you justify what you decided was material, and show the evidence?" A thin or poorly documented materiality process is now the most likely place a report falls down under assurance. We'd rather a client spend their 2026 preparation year strengthening that process than chasing datapoints that may not survive the final Delegated Act.

If you're out of scope, what should you keep doing?

Falling out of mandatory scope is not the same as being done. The VSME, the Voluntary Standard for non-listed SMEs, is quietly becoming the most important framework for mid-market companies, because it's turning into the common language large companies use to request sustainability data from their suppliers. The Commission's VSME Delegated Act is expected on 19 July 2026.

The mechanism matters. The Omnibus introduced a value-chain cap that limits what in-scope companies can demand from partners with fewer than 1,000 employees — but it explicitly points those requests at VSME-level data. So if you supply a large EU-facing customer, you'll likely be asked for VSME disclosures regardless of your own scope status. Preparing now is a competitive advantage, not a cost.

Three things are worth keeping regardless of where you land: a current double materiality view, a supply-chain readiness posture so you can answer data requests fast, and a credible climate plan. None of these depend on the directive. All of them protect enterprise value.

How we run a post-Omnibus readiness check

When a client comes to us unsure where the Omnibus leaves them, we work through four steps in order, and the order matters because each one changes the scope of the next.

First, confirm scope precisely, not the headline test, but the specific one that applies. EU entity? Run the employee-and-turnover test. Non-EU parent? Run the EU-turnover and branch-turnover test from the worked example above. This step alone resolves most of the anxiety, and it frequently moves a company from "we think we're in" to "we're actually out," or the reverse.

Second, map the demand around you, not just the law above you. Even out-of-scope companies field data requests from larger customers, lenders, and investors. We inventory who's going to ask you for sustainability data and what standard they'll ask in — increasingly VSME — because that demand often binds harder than the directive does.

Third, refresh the double materiality view. Whether you report or not, this is the artifact that tells you which risks deserve management attention. We treat it as a strategy input, not a reporting deliverable, which changes both how it's run and who's in the room.

Fourth, right-size the program to the answer. A large in-scope company needs an assurance-ready reporting function. A mid-market company that just fell out needs a lean VSME-ready posture and a defensible climate plan. The failure mode we see most is companies running the wrong-sized program for their actual position — over-investing out of inertia or under-investing out of relief. This is precisely where Council Fire's diagnostic tools earn their keep: a structured scope-and-readiness scorecard turns a fuzzy "are we okay?" into a specific work plan.

Who should treat the Omnibus as a strategic reset, not a reprieve?

If you're a mid-market company that just fell out of CSRD scope: don't dismantle the program you built. Convert it to a VSME-ready posture so you can answer customer and investor data requests without a fire drill. The work is mostly done — the task is to right-size, not retire it.

If you're a U.S. company with EU operations: check the branch-level threshold (€200M EU branch turnover under a €450M EU group) before assuming you're clear. Non-EU scope tests are different from the headline numbers and catch companies off guard.

If you're a large in-scope company: your task shifts from "will we report?" to "will the revised ESRS reduce our burden enough to do this well?" Use the datapoint reduction to focus on material disclosures that hold up under assurance, rather than spreading effort thin.

The throughline: the Omnibus didn't end EU sustainability regulation, it concentrated it. The companies that win are the ones that read the deregulation as a chance to do the right work well rather than an excuse to stop. Treating double materiality and supply-chain readiness as management tools rather than compliance chores is the difference between a program that creates value and one that only ever absorbed cost.

Not sure where the Omnibus leaves you? Council Fire runs scope and readiness checks against the new CSRD and CSDDD thresholds, and helps right-size programs for companies moving from mandatory to voluntary reporting.

Start a conversation →

FAQs

What are the new CSRD thresholds in 2026?

After the Omnibus, CSRD applies only to companies exceeding both 1,000 employees and €450 million in net turnover, up from the prior 250-employee and €50M turnover bar. Non-EU parent groups are in scope at €450M EU net turnover with an EU branch above €200M. The change excludes roughly 80% of previously covered companies.

Is the Omnibus directive final, or still a proposal?

It's final and in force. Directive (EU) 2026/470 was adopted by the Council on 24 February 2026, published in the Official Journal on 26 February 2026, and entered into force on 18 March 2026. Member States must transpose the CSRD amendments by 19 March 2027 and the CSDDD amendments by 26 July 2028.

What are the new CSDDD (CS3D) thresholds?

The due diligence directive now applies only to EU companies with more than 5,000 employees and €1.5 billion in net worldwide turnover, or non-EU companies generating over €1.5B turnover within the EU. The Omnibus also removed the mandatory Paris-aligned climate transition plan and capped penalties, narrowing both the scope and the obligations.

Does double materiality still apply after the Omnibus?

Yes. The Omnibus retained double materiality as the foundational principle of CSRD reporting. It reduced mandatory ESRS datapoints by approximately 61% and streamlined the assessment process, but the core requirement to evaluate both impact materiality and financial materiality remains intact for in-scope companies.

My company fell out of CSRD scope: should I stop reporting?

Not necessarily. Many companies below the thresholds continue voluntarily under the VSME standard because investors, lenders, and large customers still expect the data. The VSME is becoming the common language for supply-chain sustainability requests, so a voluntary posture often protects commercial relationships even without a legal mandate.

What is the VSME standard and when does it arrive?

The Voluntary Standard for non-listed SMEs (VSME) is a proportionate, lighter set of disclosures for companies outside mandatory CSRD scope. It has minimal datapoints, no mandatory double materiality analysis, and no required external assurance. The Commission's VSME Delegated Act is expected on 19 July 2026, after which it becomes the default for supplier data requests.

Does the Omnibus affect U.S. companies?

Yes, if they have EU operations. CSRD applies to non-EU parent groups generating more than €450M net turnover in the EU with an EU branch above €200M. U.S. companies should check the branch-level threshold specifically, since the non-EU scope test differs from the headline employee-and-turnover numbers that apply to EU firms.

Additional Resources

Understanding the Rules

• CSRD (definition) — what the directive covers, updated for the Omnibus

• Double Materiality (definition)

• Demystifying ESG Frameworks, Regulations and Reporting

• Navigating CSRD & CSDDD: Reporting Rules — prior coverage (now updated)

Materiality & Reporting

• Double Materiality and Stakeholder Input

• Ultimate Guide to Stakeholder Impact Reporting

• Stakeholder Feedback vs. Internal Metrics in Reporting

Cross-Border & Supply Chain

• US vs. EU ESG Screening Rules: Key Differences

• Cross-Border ESG Rules: What Businesses Need to Know

• Sustainable Supply Chains: Transforming Operations for Resilience and Equity

• Top 5 ESG Frameworks for SMEs

Strategy & ROI

• Build a Corporate Sustainability Strategy Aligned to ROI

• Stakeholder Strategy Is the New Competitive Advantage

Still in scope? Find out fast

• Sustainability Scorecard Generator — quick readiness check