CSRD and CSDDD Version 2.0 – the EU's sustainability framework redefined

EU entities

The Omnibus sets the thresholds for EU companies at 1000 employees and €450m of net worldwide turnover. This is a dramatic increase from the previous test, which required entities to have two of 250 employees, €50m turnover and €25m balance sheet, but lower than the 1750 employees reflected in the Parliament's position. In particular, this change will take out of scope high turnover, low headcount businesses, including many across the financial services sector.

Member States will have the right – but not the obligation – to exempt existing "wave 1" reporters from reporting for 2025 and 2026. Some such reporters with more than 500 but less than 1000 employee will fall out of scope entirely as of financial years beginning on or after 1 January 2027.

Non-EU entities

For non-EU companies, the final agreement on scope is unlikely to illicit cheers from any camp. Non-EU ultimate parents (other than financial holding companies, as below) of groups with €450m net EU turnover or more (no employee threshold) will need to report via an obligation which sits with their EU subsidiary, where that subsidiary has a net turnover of €200m. Alternatively, an EU branch of a non-EU ultimate parent that generates a net turnover exceeding €200m must report for the group. Previously, the reporting obligation sat with the EU subsidiary which was itself in scope of CSRD.  In effect, this change means that some EU companies will hold a reporting obligation for their group, even where not reporting themselves. While the recitals to CSRD emphasise that the subsidiary or branch is only required to publish and make available the sustainability report provided by the parent, if the parent chooses (or, foreseeably, is required under its home law) not to comply, the subsidiary must draw up and publish the report itself. It remains to be seen how aggressively this provision will be enforced, but theoretically the EU subsidiary of a recalcitrant non-EU parent could incur liability for failing to publish a report on behalf of its group. Revised scoping exercises should take this into account.

Financial holding undertakings

The financial services sector also benefits from a new exemption for "financial holding undertakings" as defined in the Accounting Directive: undertakings with the sole object of acquiring holdings in other undertakings, managing such holdings and turning them to profit, without direct or indirect management of those undertakings, without prejudice to the rights of shareholders. While this definition is succinct, the Omnibus text's recitals provide both colour and uncertainty as to the availability this exemption. Private markets firms will need to work through the definition carefully to determine whether they can take advantage of it.

For example, the rights of shareholders may, depending on national law, include the appointment of members of the management or board, but where the holding company appoints one of its own directors to the board, it is less clearly limiting its own management of the investee company. The exemption also only applies to financial holding undertakings with diverse holdings "namely in undertakings whose business models and operations are independent of one another", but excluding instances where "the activities of one subsidiary enable or directly support the activities of another subsidiary". Presumably this is intended to prevent companies creating additional layers of corporate structure for the purpose of circumventing CSRD. Asset managers pursuing a targeted, potentially single-sector investment strategy where the investments of specific funds do interact with each other should ensure that the fund vehicle (otherwise meeting the thresholds) does not fall out of the scope of the exemption on account of the "diverse holdings" point.

Regulators were keen to ensure that large undertakings in the scope of CSRD (and CSDDD) did not simply pass on the burden of their obligations to small undertakings within their value chain that were less well resourced and potentially less sophisticated, and therefore less able to bear that burden. The voluntary SME standard ("VSME") was intended to be used by those smaller entities in order to provide reporters with the information they needed, in a way that obviated the need for long, diverse questionnaires, though the European legislators nonetheless feared "disproportionate requests for information".

The Omnibus text introduces the concept of a "protected undertaking" – an undertaking with fewer than 1000 employees according to its own self-declaration, towards whom reporters are prohibited from requesting information exceeding the limits of that set out in the VSME to be adopted by the European Commission. Information requests will need to highlight any part of that request which goes beyond what the reporting undertaking is entitled to request (outside the scope of the VSME) and include a reminder to protected undertakings of their statutory right to decline to provide such information. The three year phase-in for value chain information from the original CSRD remains (namely, reporters who cannot obtain all necessary value chain information may explain the efforts made to obtain it, and plans to obtain it in future).

Critically, this restriction on information requests only applies to information gathering done for the purpose of reporting sustainability information under CSRD, and not reporting for any other purpose, including "for the reporting undertaking's risk management". The distinction here is not an easy one – effective sustainability reporting will be the output of (not the reason for) a risk identification, assessment and management process which includes sustainability and other topics. On the one hand, companies may be able to legitimately circumvent the "value chain cap" by requesting information for other purposes, but on the other hand, they may need to engage in dialogue with business partners seeking to resist information requests based on CSRD protections.

New rights to omit information

The Omnibus text strengthens CSRD's provisions on instances where information may be withheld. These include a new right to omit information, in exceptional cases, where disclosure would be "seriously prejudicial to the commercial position of the undertaking". Further criteria must be met, including that the omission does not prevent a fair and balanced understanding of the undertaking's development, performance, position, principal risks or principal impacts. The ESRS – even in their draft revised format – cover many areas where a business may suffer prejudice to their commercial position if information becomes widely known, for example that their directors have anti-corruption convictions. On the other hand, that information may affect the entity's financial prospects if customers become aware, making it precisely the type of financially material risk that should be disclosed. It will be interesting to see how far reporters seek to use this exemption, and how far auditors will accept it.

European Sustainability Reporting Standards

The first set of European Sustainability Reporting Standards ("ESRS") have undergone a concurrent  simplification process, and have been delivered by EFRAG to the European Commission for their consideration and potential amendment before expected adoption next year. The Omnibus text underlines the priorities for ESRS simplification (which the Commission will need to have regard to before adoption), including removing the least important data points, prioritising quantitative data points over narrative, improving consistency with other EU legislation including on financial services and interoperability with international standards.

Sector specific standards

The sector specific standards originally envisaged by CSRD will not be developed, but the Omnibus text provides that the Commission "could support undertakings by providing sector-specific guidance". This non-committal provision in the text's recitals is unlikely to be definitive; EFRAG has indicated that it may repurpose its initial work on sector specific standards as guidance, though it currently lacks a mandate from the Commission to do so. 

Non-European Sustainability Reporting Standards ("nESRS")

A large question mark hangs over the Commission's development of standards for non-EU group reporting under Article 40b. This provision requires the so-called nESRS to be adopted by 30 June 2026 (deferred from 30 June 2024 via a pre-Omnibus amendment). However, Article 40b was on the Commission's recent "kill list" of non-essential empowerments, which the Commission will propose to either amend or repeal. Despite that, Article 40b is unchanged by the Omnibus text. EFRAG had begun work on a set of nESRS that contained important distinctions from the EU ESRS, including that non-EU entities need only report on an impact rather than financial materiality basis, and that they could exclude matters with no EU relevance. Non-EU entities are likely to be keen to retain these concessions rather than being forced to use the EU ESRS, particularly in instances where the EU subsidiary is itself not required to report under CSRD.

VSME

The VSME gains a new-found importance under CSRD given the volume of companies now out of scope and encouraged to report voluntarily using the VSME, as well as the use of the VSME to define the scope of information requests for protected undertakings (discussed above). The Commission has issued a recommendation for the use of the existing VSME standard published by EFRAG in December 2024, but must formally adopt it (or a revised version) via a delegated act in due course.

The Commission had not originally proposed any changes to the scope of CSDDD, given that it was already significantly higher than CSRD, reflecting the more onerous behavioural nature of the obligations under the directive. Nonetheless, the Council and the Parliament both supported higher thresholds, with the final text exempting all but around 1500 of the world's biggest companies.

The thresholds for EU companies now rest at €1.5bn of net worldwide turnover and 5000 employees, and for non-EU companies, €1.5bn of EU turnover. For corporate entities operating franchise models, the Omnibus retains thresholds based on royalties, but increases these to €75m in royalties and €275m in net worldwide turnover for EU companies, or €75m in EU royalties and €275m in EU turnover for non-EU companies.

Non-EU entities may have hoped for a better outcome from the negotiations. There was considerable pressure, particularly from the US Government and corporates, to exempt non-EU companies entirely. It was also strongly argued that application to non-EU companies should be more limited, including via the introduction of an employee threshold, for better alignment with the EU thresholds. The European Commission has always resisted a non-EU employee threshold, based on the lack of a common international definition of an employee. It has also been highlighted that an employee threshold may well exempt some entities that would be prime targets of the law, including Chinese-headquartered importers such as Shein or Temu who may not retain a large employed workforce. The effect of this may well be that many non-EU companies will be captured by CSDDD whilst equivalent-sized EU companies in financial terms would be exempt based on not meeting the employee threshold.

No attempt was made in the Omnibus process to clarify how national Member State supervisory authorities will enforce CSDDD against non-EU entities with no physical presence in the EU.

The Omnibus text is keen to stress that the purpose of CSDDD is not "to provide a comprehensive framework for the protection of human rights or the environment in the context of companies’ operation[s]". This already exists, it argues, via legislation which puts obligations on companies either directly or indirectly in respect of (among others) workplace health and safety, labour rights, construction standards or product safety. Instead, CSDDD is (only) designed to harmonise national laws concerning due diligence obligations.

The two stage due diligence process is retained but softened, and not limited to direct business partners as the Commission had initially proposed. The initial scoping exercise to identify risk hot spots must be based only on "reasonably available information", which will normally prevent them from requesting information for business partners. Risk factors should be taken into account in this first stage, including whether the business partner itself is subject to CSDDD or a comparable mandatory sustainability due diligence requirement (presumably, to be taken as a risk mitigation factor based on assumed compliance).

The second stage, in-depth assessment, may include requesting information from business partners, but even the scope of that exercise is limited – information can only be requested where necessary, and information should only be requested from business partners with less than 5000 employees where it cannot reasonably be obtained by other means. In practice this introduces an equivalent concept to the CSRD "protected undertaking". In the case of CSDDD, this change responds to concerns that a large proportion of undertakings' direct and indirect suppliers were small, outside the EU or both, where the push down of diligence and reporting information obligations represented a huge time and cost burden. Equally the requirement to put in place contractual provisions to address adverse impacts positively encouraged this negative trickle-down effect.

According to the text, undertakings need not identify every adverse impact in their operations, those of their subsidiaries and those of their business partners. Failure to identify and address adverse impacts should not be penalised provided the company has complied with its due diligence obligations more generally. Undertakings must take "appropriate measures" to address impacts – a phrase which is open to interpretation based on factors such as the size and resources of the company, the complexity of the supply chain and the degrees of separation between the company and the suspected impacts. Companies may prioritise impacts involving direct business partners.

Overall, the amendments shift the emphasis from the effectiveness of the diligence itself to the defensibility of the process underlying it. Liberal use of terms which are open to interpretation decrease legal certainty, increasing the importance of the various guidelines that the Commission is required to publish under Article 19 of CSDDD, mostly by 26 July 2027.

Deletion of the entire obligation to adopt a climate transition plan was a major win for the European Parliament. In the press conference following adoption of the Parliament's negotiating position in November, the Parliamentary Rapporteur in charge of the file noted that seven pieces of existing EU legislation require entities in scope to have a climate transition plan, though this appears to be an inflation of sectoral legislative requirements with limited application. CSDDD would have been a world-first horizontal requirement for businesses to adopt a climate transition plan (meaning that all eyes now turn to the UK to see whether it will, instead, be the first to introduce such a requirement).

MEPs who pushed for the deletion of CSDDD's climate transition planning obligation have been keen to stress that related obligations under CSRD remain. Indeed, EFRAG's draft revised ESRS E1 still includes an obligation to disclose a transition plan for climate change mitigation, or a disclosure that the business does not have a transition plan and an indication of whether, and if so when, it expects to adopt one. This obligation - which is fully satisfied by a disclosure regardless of what that disclosure reveals - is in no sense comparable to the previous CSDDD obligation for covered businesses to adopt and put into effect a plan aligned with 1.5 degrees of warming and the EU's carbon neutrality goal.

All of the European institutions agreed to delete the controversial civil liability provisions in CSDDD, with the result that liability will be determined according to the existing civil frameworks of each Member State. These can be complex and have little uniformity, meaning that the lack of a harmonised system is likely to deter claimants unless well advised and well funded (which conversely, is increasingly the case).

Regulatory penalties under CSDDD are also revised. Whereas the existing law could have seen minimum penalties of 5% of group worldwide turnover, the Omnibus text imposes a ceiling on the fines Member States may impose, of 3% of worldwide turnover. Still, this may represent billions of dollars for some of the US organisations that have lobbied hardest against CSDDD.

What next for the EU's sustainability framework

Undoubtedly, the polarised views on these laws have damaged the EU's credibility both in respect of its global leadership on sustainability matters and also in the rule of law – the EU's ability to follow the strict processes it has in place to ensure robust and predictable law making in a democratic fashion were compromised.

Businesses remaining in scope of either law have some time to process the changes. Reporting under CSRD will begin for financial years starting 1 January 2027 and onwards with publication in the following year, while the Omnibus text removed the phase in for CSDDD and provided a 26 July 2029 compliance deadline for all.

Both laws will gain a review clause – the Commission is required to review the financial and employee thresholds in CSRD for inflation every five years, although the Parliament and the Council can revoke that power "at any time"; a separate review of whether more "large" entities should be brought into scope and non-EU entities with no EU subsidiary or branch must be completed by 30 April 2031. The Commission is also required to review the thresholds in CSDDD by 26 July 2030, including consideration of aligning the scope with CSRD or bringing certain high risk sectors into scope. It would be unwise to view these review clauses as a key concession which will rapidly see the deregulation reversed. Given that the geopolitical conditions in five years' time may be entirely different from today, MEPs did not see this as a critical element of the compromise agreement.

Though conceivably the secondary legislation and guidelines expected under CSRD and CSDDD could strengthen the regimes to a degree, the political will of the European Commission to do so is likely to be limited. The European Parliament in particular may also be willing to use its oversight of Commission delegated acts to object to any perceived shift away from the agreed position as reflected in the Omnibus text.

The EU can expect further pushback from the US – both from big businesses which lobbied hard against CSDDD, and from the Government. The Trump administration might have anticipated a different outcome to the Omnibus process, given that the recent US-EU framework trade agreement committed the EU to ensuring that CSRD and CSDDD did not pose undue restrictions on transatlantic trade. Certain MEPs have suggested that the European Parliament will have little appetite for ratifying the trade agreement, risking retaliatory tariffs being imposed by Washington. For now, all businesses must accept the Omnibus' landing place – while some breathe a sigh of relief, others will be considering how to fill the gaps it leaves.