CSRD After the Omnibus: Who Still Needs Verification — and Why It Still Matters

The legislative process is complete. Directive (EU) 2026/470 — the Omnibus I Directive — was published in the Official Journal of the European Union on 26 February 2026, formally adopted by the Council on 24 February 2026, and entered into force on 18 March 2026. EU Member States must now transpose the CSRD-related provisions into national law by 19 March 2027.

For the first time since the Corporate Sustainability Reporting Directive was adopted in 2022, companies have a stable, fixed regulatory picture. There are no further stop-the-clock proposals in the pipeline, no pending provisional agreements, and no live co-legislative negotiations to monitor.

The response from many compliance teams has been one of relief: fewer companies in scope, simpler standards on the way, and an assurance framework that will stay at limited assurance rather than escalate to reasonable. On the surface, the burden looks lighter.

But the simplification of scope does not mean simplification of purpose. The companies that remain inside the revised thresholds face the same core obligations as before — including the double materiality assessment, Scope 3 disclosure where material, and independent verification. And companies that fall outside the mandatory scope face commercial, financial, and regulatory pressures that have not gone away. The threshold changed. The strategic importance of credible sustainability data did not.

The most consequential change in the Omnibus I Directive is the replacement of the existing scope criteria with a hard dual threshold.

Under the original CSRD, companies qualified as in-scope based on the Accounting Directive's definition of a "large undertaking" — a two-out-of-three test applied across three criteria: 250 or more employees, net turnover exceeding €50 million, or a balance sheet total above €25 million. Meeting any two conditions was sufficient.

That logic is entirely replaced. Under the revised framework, an EU entity falls within mandatory CSRD scope only if it exceeds both of the following simultaneously: an average of more than 1,000 employees, and net annual turnover exceeding €450 million. A company with 5,000 employees and €300 million in turnover is no longer in scope. A company with €600 million in turnover and 800 employees is not in scope either. Both thresholds must be satisfied at the same time.

For non-EU parent entities, the trigger is also substantially higher. A non-EU group is now in scope only where it generates more than €450 million in net turnover within the EU for each of the last two consecutive financial years, and has at least one EU subsidiary or branch with net EU turnover exceeding €200 million. The prior EU turnover threshold for non-EU groups was €150 million — the Omnibus has tripled it.

Listed SMEs are removed from mandatory scope entirely. There is no lighter version of CSRD for them — they exit the regime completely.

The combined effect is a reduction in the number of directly in-scope companies of approximately 80 to 90 percent compared to the original directive — from an estimated 50,000 companies to roughly 5,000 to 10,000. That is a significant narrowing of the mandatory reporting population. But it should not obscure a separate fact: the companies that remain inside this smaller perimeter are subject to the same depth of disclosure requirements, including the full double materiality assessment and Scope 3 emissions reporting wherever value chain emissions are determined to be material.

For organisations that clear the dual threshold, the Omnibus I Directive has resolved a question that had been left open since CSRD was first adopted: what level of assurance will ultimately be required?

The original CSRD anticipated a pathway from limited to reasonable assurance — a progression that would have substantially increased the scrutiny applied to sustainability reports over time. That pathway has been removed. Limited assurance is now confirmed as the final requirement, not a transitional stepping stone.

The Commission is required to develop EU-specific limited assurance standards, with adoption mandated by 1 July 2027. These standards are expected to align with ISSA 5000, the international sustainability assurance standard published by the IAASB in 2023. Until EU-specific standards are adopted, assurance engagements proceed under national professional standards and existing frameworks.

What does this mean in practice? A limited assurance engagement requires an independent verifier to review the sustainability report and conclude whether anything has come to their attention that suggests the information is materially misstated. It involves inquiry, analytical procedures, and targeted evidence-gathering — less intensive than a full audit, but far from superficial. It still demands coherent data lineage, documented methodologies, traceable evidence chains, and internal controls that can withstand independent review.

The confirmation that limited assurance is the endpoint — rather than a way station — gives companies a stable target to design toward. It does not reduce the effort required to get there.

The European Sustainability Reporting Standards that define exactly what in-scope companies must disclose are currently under revision. EFRAG submitted its final simplified technical advice to the European Commission on 3 December 2025, proposing a significant reduction in mandatory data points. The Commission is required to adopt a revised delegated act incorporating these changes within six months of the Directive's entry into force — by 18 September 2026.

Until that revised delegated act is adopted, the existing ESRS remain in force. Wave 1 companies — those that entered CSRD scope as former NFRD reporters — must use the current standards for FY 2025 and FY 2026 reporting, with "quick fix" transitional reliefs available following the delegated act adopted by the Commission in July 2025. Once the simplified ESRS take effect, companies may voluntarily apply them for FY 2026 reporting, with mandatory application from FY 2027 onwards.

The simplification will meaningfully reduce the volume of prescribed disclosures and give companies more discretion based on their double materiality assessment. Sector-specific ESRS standards have been eliminated entirely; non-binding sector guidance may be developed in their place but will not carry mandatory status. The proportion of mandatory data points is expected to fall substantially.

What will not change is the underlying requirement to conduct and document a rigorous double materiality assessment as the foundation for those decisions. Under the revised approach, companies can omit topical disclosures for areas determined to be non-material — but the process for making that determination must itself be thorough, documented, and capable of withstanding verification review.

For most manufacturers, distributors, and industrial groups, climate will remain material from both an impact and a financial perspective under double materiality. That means Scope 1, 2, and 3 emissions disclosures under ESRS E1 are unlikely to disappear for these companies simply because the standards have been streamlined. The assessment process determines what must be reported. Simplification changes the volume of possible data points; it does not override the materiality conclusion for core climate topics.

The practical message is this: do not design your preparation timeline around the assumption that the September 2026 ESRS revision will reduce your specific reporting obligations. Conduct the double materiality assessment now. Let it determine what is in scope for your business. Then calibrate to whichever version of the ESRS applies when you first report.

Falling below the dual threshold removes the legal obligation to prepare a CSRD sustainability report. It does not remove the commercial and financial reasons to have credible, third-party-verified sustainability data.

Three sustained pressures will continue to generate emissions and ESG data requests toward de-scoped companies:

For de-scoped companies navigating any of these pressures, voluntary verification against the VSME standard provides a credible and proportionate basis for third-party assurance. The Commission is required to adopt the content of the voluntary VSME standard by 19 July 2026. Early engagement with this framework — and voluntary verification against it — demonstrates proactive ESG governance and can meaningfully differentiate a company in procurement, financing, and stakeholder reporting contexts.

One of the most operationally significant but least-discussed changes introduced by the Omnibus I Directive is the value chain cap.

Companies with fewer than 1,000 employees now have a formal legal basis to decline sustainability information requests from larger reporting companies where those requests exceed what is specified in the forthcoming voluntary VSME standard. This is a genuine protection — not a guideline or a recommendation — for smaller suppliers who have been experiencing the trickle-down burden of CSRD: being asked by customers to complete detailed ESG questionnaires as a condition of staying on approved vendor lists, despite having no direct CSRD obligation of their own.

For in-scope companies, the practical implication is that procurement-facing ESG data collection processes need to be reviewed and, where necessary, recalibrated. Requests sent to value chain partners with fewer than 1,000 employees must remain within the boundaries of the voluntary standard once adopted by the Commission on or before 19 July 2026. Requests that exceed those boundaries will not be legally enforceable.

This also creates a new dimension for assurance providers. The question in a limited assurance engagement is not only whether the disclosed data is accurate and traceable, but also whether the method of collecting value chain data was compliant with the legal framework that governs what could be requested from smaller partners. Data obtained through requests that exceeded the cap may raise questions about the validity of the collection process — a consideration that assurance teams will need to address as part of their engagement scope.

After more than two years of phased delays, stop-the-clock proposals, and wave restructuring, the CSRD reporting timeline is now stable. The Omnibus I Directive does not alter the timelines already established by the Stop-the-Clock Directive (EU) 2025/794, which entered into force in April 2025.

Member States have until 19 March 2027 to transpose the CSRD-related provisions of the Omnibus I Directive into national law. Until transposition is complete in a given jurisdiction, the existing nationally-transposed CSRD rules remain applicable in that country. Transposition progress across the 27 EU Member States is uneven, and companies with legal entities across multiple jurisdictions should monitor national-level developments separately.

The gap between now and Wave 2's first reporting deadline of 2028 may appear comfortable. It is not. Building the data infrastructure to support verifiable Scope 3 disclosures — particularly Category 1 purchased goods and services — typically requires 12 to 18 months of structured supplier engagement, internal controls design, methodology documentation, and system implementation. Starting in mid-2026 leaves limited margin for the delays that almost always arise.

Regardless of which version of the ESRS ultimately applies to your first report, the foundations of a verifiable sustainability report are consistent and do not change with simplification.

None of these requirements are affected by whether the ESRS contains 1,100 data points or 430. They apply irrespective of the level of simplification achieved. Companies that build these foundations during the current period of regulatory transition will be better positioned for assurance — and for the commercial credibility that comes with it — than those that treat simplification as a reason to defer preparation.

The Omnibus I Directive is a real and significant simplification of EU mandatory sustainability reporting. The number of in-scope companies has fallen by 80 to 90 percent. The assurance framework is now fixed at limited assurance with no escalation pathway. The ESRS are being meaningfully reduced in complexity. The reporting timeline is no longer a moving target.

But simplification is not the same as deregulation, and scope narrowing is not the same as a reduction in content depth for those who remain inside it. The companies that clear the dual threshold face the same expectations on data quality, Scope 3 coverage, double materiality rigour, and independent verification as the original CSRD envisaged. And companies that fall outside the threshold continue to face commercial, financial, and regulatory pressures — through supply chains, lending relationships, CBAM, and voluntary target frameworks — that make credible sustainability data strategically important regardless of legal obligation.

The threshold changed. The reason to take verification seriously did not.