Omnibus I: clarity on the future of the CSRD and CSDDD

CSRD

Restriction of scope

The scope of the CSRD is limited to the following categories of companies:

• Companies with more than a 1,000 employees and more than EUR 450 million in net turnover;
• Companies from third countries, provided that the parent company has a net turnover of more than EUR 450 million for two consecutive financial years and the subsidiary or branch in the EU has a net turnover of more than EUR 200 million.

Listed medium-sized and small companies are no longer covered by the scope. Financial holding companies are also excluded from the scope of the CSRD.

Furthermore, under the amended CSRD, all subsidiaries may make use of the subsidiary exemption when the sustainability information is included in a consolidated report of a parent company. Under the old text of the CSRD, this exemption could not be used by listed (subsidiary) companies, which meant that these companies were obliged to publish their own sustainability reports.

Based on the amended CSRD, the European Commission must assess in 2031 whether the scope of application is appropriate. For companies that are not (or no longer) covered by the CSRD, voluntary reporting standards will be established by the European Commission.

Value chain cap and 'protected undertaking'

The revised version of the CSRD introduces the concept of a 'protected undertaking'. A protected undertaking has no more than a 1,000 employees and is part of the value chain of an undertaking covered by the CSRD. Protected undertakings have the right to reject requests for information from reporting undertakings insofar as these go beyond what the protected undertaking would be required to report under the voluntary standards. Furthermore, reporting companies are not permitted to contractually stipulate more extensive information obligations. If this does happen, the relevant contractual provisions are not binding. If a reporting company requests more information, it must actively point out to the protected company which requested information goes beyond that specified in the voluntary standards and the right of the protected company under the to ignore this request. These restrictions only apply to information requests intended for the sustainability reporting of the reporting company. Information requests that serve a different purpose remain permitted.

In addition, the Directive provides for a three-year transition period during which companies are given the opportunity to explain why they have not been able to obtain all the necessary information from their value chain and what their plans are to ensure that they can still obtain this information.

No sector-specific ESRS and no reasonable assurance

The European Commission's power to adopt sector-specific European Sustainability Reporting Standards (hereinafter: ESRS) will be abolished. Instead, a provision has been included that allows the European Commission to adopt sector-specific guidelines.

The future obligation to obtain reasonable assurance on sustainability reporting has also been removed. This means that only the obligation to obtain limited assurance remains in the CSRD.

Article 8 Taxonomy Regulation

Companies that fall within the stricter scope of the CSRD remain obliged to comply with Article 8 of the Taxonomy Regulation. Based on Article 8 of the Taxonomy Regulation, companies that prepare sustainability reports under the CSRD must also report on the extent to which their activities qualify as environmentally sustainable as defined in the Taxonomy Regulation.

Transitional arrangement

Under the CSRD, an initial group of companies was already required to publish a sustainability report for the 2024 financial year. These are the so-called large public-interest entities (PIEs). Member States will be given the option of providing a transitional arrangement for large PIEs that no longer fall within the stricter scope of application: they will not be required to comply with the CSRD reporting requirements for 2025 and 2026. Companies that are large PIEs and remain subject to the CSRD will still be required to prepare and publish sustainability reports for the 2025 and 2026 financial years.

CSDDD

Scope of application The scope of application of the CSDDD is limited to companies with more than 5,000 employees and more than EUR 1.5 billion in net turnover worldwide, and companies from third countries with more than EUR 1.5 billion in net turnover on the European market (Art. 2(1)(a)). Under the previous text, this concerned companies with more than 1,000 employees and more than EUR 450 million in net turnover and companies from third countries with more than EUR 450 million in net turnover in the EU (Art. 2(2)(a)). However, the CSDDD does contain a clause allowing the European Commission to make recommendations or legislative proposals regarding the adjustment of the thresholds in the report that the European Commission prepares for the Parliament and the Council on the implementation and effectiveness of the CSDDD (for the first time in 2031). In addition, the European Commission may recommend that companies operating in high-risk sectors should still be covered separately by the CSDDD (Art. 36). A similar clause relating to financial companies, which is part of the current text of the CSDDD, will be removed. 

Identification of adverse impacts 

With regard to identifying adverse impacts, companies must prepare to carry out a scoping exercise of their activities and those of all direct and indirect business partners, looking at the risks or existence of impacts of activities in general. This means that companies will have to identify their 'supply chains' at a less detailed level and may look at the impacts of, for example, cotton cultivation in a particular region in general, rather than the specific activities of all entities in the supply chain. A mapping exercise identifying all activities and impacts at entity level will no longer be mandatory.

Companies may only base their research on 'reasonably available information'. This is to prevent small business partners from being burdened with information requests as much as possible. The scoping exercise should result in a risk index that identifies the 'general areas' where negative impacts are most likely or most significant. These general areas should then be investigated further to identify the specific potential or actual negative impacts. Information requests to business partners may only be made when the information is necessary. Furthermore, if the business partner has fewer than 5,000 employees, only information that cannot reasonably be obtained by other means may be requested. If companies have identified risks of adverse impacts that are equally likely or significant at the level of direct and indirect business partners, they may prioritise the impacts occurring at the level of direct business partners when conducting further investigation.

Addressing potential and actual adverse impacts 

With regard to mitigation obligations for potential and actual adverse impacts, only the provisions on follow-up measures to be taken if the initial response measures prove ineffective have been amended. When the risk of or an actual adverse impact is identified, companies are required to take action to prevent or end the impact. The CSDDD divides these actions into two phases: initial response measures and follow-up measures. Initial response measures include implementing an initial action plan to prevent or end impacts and seeking contractual guarantees from business partners to prevent or end impacts. If the initial response measures prove ineffective, the company must take  follow-up measures. 

The obligation to terminate a business relationship when other follow-up measures cannot reasonably be expected to prevent or resolve/minimise an impact has been removed. However, individual Member States may still choose to include this obligation in their national legislation, as the follow-up measures are no longer subject to the maximum harmonisation of the CSDDD. This may therefore vary from one jurisdiction to another.

Suspending a business relationship until the negative impact has been adequately addressed is now only required if the legal system applicable to the contracts between the entities allows this. The obligation to draw up and implement an improved follow-up action plan has also been amended. This is now only required if there is a reasonable expectation that these efforts will succeed in preventing or resolving negative effects. In addition, it has been added to the provisions that as long as there is a reasonable expectation that an action plan can succeed, the mere fact that the company continues to maintain the business relationship cannot give rise to administrative sanctions or civil liability. It also applies that if companies have correctly prioritised effects that were more likely or more serious, no administrative sanctions can be imposed for not (yet) addressing less significant effects.

Climate transition plan 

The obligation to draw up and implement a climate transition plan has been removed in its entirety. 

Stakeholder engagement and periodic evaluation 

With regard to stakeholder engagement, two instances of mandatory stakeholder engagement have been removed. The CSDDD still requires companies to consult relevant stakeholders when making certain decisions, thereby giving them the opportunity to share their views, for example when gathering the information needed to identify impacts and when drawing up action plans to prevent or end impacts. Stakeholders no longer need to be consulted on the decision to suspend (or terminate, where Member States still opt for this) a business relationship and on the qualitative and quantitative indicators for the periodic review of the due diligence policy.

The provision on the periodic review of due diligence policies has also been amended. Instead of annually, the review is now mandatory every five years, unless there have been significant changes or there are reasonable grounds to suspect that the current due diligence policy is no longer adequate.

Civil liability 

The EU-wide harmonised liability regime has also been removed from the directive. In connection with 'effective legal protection', Member States must guarantee that liability for violations of the CSDDD is possible, but this may be done under their own chosen usual or specific national liability regime. As is customary in this type of legislation, it is therefore left to the Member States themselves to determine the conditions for liability, such as causality and attribution. As a result, the success of a claim may vary from one Member State to another. In addition, Member States are no longer obliged to give precedence to national law provisions arising from the CSDDD in cases where claims are not governed by national law. This represents a significant limitation of the liability regime, as it means that parent companies may no longer be held liable in the EU for environmental damage and human rights violations committed by their subsidiaries outside the EU. The obligation to allow collective actions has also been removed. The existence of a legal risk in this regard may therefore vary from one Member State to another. The Netherlands already allows collective actions through the WAMCA (a specific law aimed at settling mass claims). 

Maximum harmonisation 

Maximum harmonisation with regard to other obligations has been extended. Member States may not introduce stricter rules with regard to investigation and prioritisation, first response measures, complaints and notification mechanisms, periodic evaluation of due diligence policies and reporting, but they may still do so with regard to follow-up measures.

Sanctions

In the area of sanctions, the percentage for the maximum fine has been adjusted. Under the old version of the CSDDD, the maximum fine had to be at least 5% of global net turnover; now, the maximum fine may not exceed 3% of global net turnover.

Implementation date 

Finally, the implementation date for Member States has been postponed to 26 July 2028 and the application date for companies to 26 July 2029. 

Looking ahead

The official vote in the Council of the European Union is expected in early 2026. After this, the directives amending the CSRD and CSDDD will be published in the Official Journal of the European Union. Once they have entered into force, the implementation period for Member States will also commence: Member States will have one year to implement the changes, with the exception of the changes to the CSDDD, which must be implemented by 26 July 2028.