Quick Read

The Omnibus I directive removed approximately 42,000 companies from mandatory CSRD scope, making sustainability reporting and assurance voluntary for most of the market rather than required. This paper reframes the question from "how do we prepare for mandatory assurance" to "should we report voluntarily, and if so, who will hold us accountable"—identifying three defensible positions (stop reporting, report unassured, or pursue voluntary assurance) and one indefensible drift into unassured voluntary claims. The framework helps out-of-scope companies determine which stakeholders (banks, insurers, customers, litigators) will continue to demand non-financial information regardless of regulatory status.

IN BRIEF

  • The Omnibus I directive, Directive (EU) 2026/470, entered into force on 18 March 2026. Member States must transpose it by 19 March 2027.

  • CSRD scope is narrowed to EU undertakings with more than 1,000 employees and more than €450 million in net turnover, and to non-EU parents with more than €450 million of EU turnover and an in-scope EU subsidiary or an EU branch above €200 million. Listed SMEs are fully exempt.

  • The revised scope applies for financial years beginning on or after 1 January 2027. Member States may exempt de-scoped Wave 1 entities from reporting for financial years 2025 and 2026.

  • Limited assurance is confirmed as the permanent requirement. The escalation pathway to reasonable assurance has been removed. An EU limited assurance standard is to be adopted no later than 1 July 2027.

  • Double materiality remains the foundation of CSRD compliance, and sector-specific ESRS have been removed. The Omnibus I directive includes review clauses, meaning scope may be tightened again.

Executive summary

This paper was originally conceived as a CSRD assurance readiness checklist. That paper is no longer worth writing, and publishing it would have been a small act of dishonesty.

The Omnibus I directive raised the CSRD scope threshold to more than 1,000 employees and more than €450 million in net turnover. Around 90 per cent of the companies that had been preparing — roughly 42,000 of them — fall outside it. Telling those companies how to prepare for a mandatory assurance engagement they will never undergo would be a well-formatted waste of their time.

The question that survives is more interesting and considerably more difficult. Reporting has become, for most of the market, a choice. Assurance has become a choice. And the parties who actually consume non-financial information — banks, insurers, index providers, strategic customers, litigators — did not withdraw when the legislator did.

WHAT CHANGED AND WHAT DID NOT

The obligation to supply credible non-financial information contracted sharply. The demand for it did not move at all. Everything in this paper follows from the gap between those two facts.

What follows is a scope determination that takes twenty minutes, a decision framework for the three positions an out-of-scope company can take, an honest account of who will still hold you to your claims, and a readiness checklist for those who remain in — reframed around what Omnibus I actually changed.

1. Determine your position

Work through this in order. Most executive teams believe they know the answer and are wrong about at least one branch.

Step

Question

Consequence

1

Is the undertaking established in the EU, and does it exceed both 1,000 employees and €450 million net turnover, on a consolidated basis where applicable?

If yes: in scope for financial years beginning on or after 1 January 2027. Proceed to section 4.

2

Is the undertaking a non-EU parent generating more than €450 million of net turnover in the EU, with either an EU subsidiary meeting the large-undertaking criteria or an EU branch generating more than €200 million?

If yes: in scope. Note that enterprise-level reporting obligations differ from entity-level obligations and one does not discharge the other.

3

Is the undertaking a listed SME?

Fully exempt. The original CSRD would have captured you. It no longer does.

4

Is the undertaking a Wave 1 entity that began reporting for FY2024 but now falls outside the revised thresholds?

Member States may exempt you for financial years 2025 and 2026. Until your Member State transposes the exemption, assume the existing obligation continues.

5

Is the undertaking an EU subsidiary of an in-scope parent?

The subsidiary exemption is extended to public interest entities listed on EU-regulated markets. Check whether your parent's reporting discharges your obligation, and note that Article 40a enterprise-level reporting may apply regardless.

6

None of the above?

Out of scope. Proceed to section 2, which is the paper that matters to you.

TWO TRAPS IN THE DETERMINATION

First: falling out of scope for FY2027 does not extinguish an obligation for FY2025 or FY2026 unless your Member State has legislated the exemption. Second: the directive contains review clauses requiring the Commission to reassess the thresholds. Scope may tighten again, and a company that dismantled its reporting capability will rebuild it at a premium.

2. You are out of scope. Now decide.

Decision framework diagram showing three defensible CSRD scope positions versus a fourth position resulting from inaction

Figure 1 — Three defensible positions, and the fourth that is chosen by inaction.

There are three defensible positions, and one indefensible one that most companies will drift into by inaction. The indefensible position is to continue reporting exactly as before, unassured, on a voluntary basis, with the same disclosures made for the same regulatory reasons that no longer apply — thereby accepting all of the liability of a public claim and none of the credibility of a required one.

Position A — Stop

Cease sustainability reporting. Withdraw the public commitments that cannot be substantiated. Retain only what is contractually required.

This is a legitimate position and it is more honest than most of the alternatives, but it is available only to companies with no sustainability-linked finance, no customer supply chain requirements, no ESG rating that affects capital access, and no outstanding public commitments. It is also irreversible in reputational terms: an organisation that publicly withdraws from sustainability disclosure in 2027 will find that decision quoted back to it for a decade.

The test: can you name every party currently relying on your non-financial disclosures? If you cannot, you cannot choose this position, because you do not know what you are withdrawing.

Position B — Report to the voluntary standard

Report under the voluntary standard for SMEs, the VSME, which the European Commission is expected to adopt by delegated act. The value chain cap makes this position structurally attractive: information requests from in-scope customers to protected undertakings below 1,000 employees cannot lawfully exceed the VSME standard. A company that reports to VSME has, by construction, satisfied the maximum that its customers may demand of it.

This is the correct default for most mid-market companies. It converts an open-ended compliance exposure into a bounded one.

Position C — Report and assure voluntarily, and say why

Continue full reporting, obtain assurance without being required to, and make the voluntary nature of both explicit.

This position is expensive and, for the right company, decisive. It is available where non-financial performance is a commercial asset rather than a compliance cost: where a lender prices credit on it, where a customer selects on it, where an acquirer will diligence it, where an index inclusion turns on it.

The company adopting Position C should understand precisely what it is buying. It is not buying a clean conclusion — every prepared reporter obtains one of those. It is buying the demonstrable fact that it obtained the conclusion when nothing compelled it to.

A required assurance report proves that a company obeyed the law. A voluntary one proves that a company was confident enough in its own numbers to invite examination it could have avoided.

The drift position — continue as before

Keep publishing the sustainability statement, on the same template, because it is easier than deciding not to. Do not obtain assurance, because it is no longer required and the fee is now visible. Retain every public target.

This is the position that maximises exposure. The company has made a full set of public non-financial assertions, subject to consumer protection law, securities law and green claims enforcement, without the mitigating evidence that an assurance engagement would provide, and without the defence that it was legally required to make them.

3. Who still holds you to it

The premise of the drift position is that when the regulator leaves, scrutiny leaves. The premise is false. The following parties are unaffected by Omnibus I and, in each case, their reliance on non-financial information is contractual, commercial or judicial rather than regulatory.

Party

What they rely on

What Omnibus I changed for them

Lenders

Sustainability-linked loan margin ratchets, KPIs verified annually, green loan use-of-proceeds reporting

Nothing. The covenant is in the facility agreement, not the directive. Loss of mandatory assurance strengthens the lender's demand for verification.

Insurers

Underwriting of D&O, environmental liability and climate exposure

Nothing. The absence of assurance becomes an underwriting input.

Strategic customers

Supplier codes, supply chain requirements, procurement scoring

The value chain cap limits what an in-scope customer may request from a protected undertaking. It does not oblige them to buy.

Index and rating providers

MSCI, Sustainalytics, S&P CSA submissions and public disclosure

Nothing. They score what you publish, and score absence.

Consumer regulators

Environmental claims on products, packaging and marketing

Nothing. Green claims enforcement is not a function of the CSRD and applies to any assertion made to a consumer.

Securities litigants

Public statements about climate risk, transition plans and performance

Nothing. Directors' duties did not narrow on 18 March 2026. The reporting perimeter did.

Acquirers

Diligence on non-financial liabilities, contingent obligations and undisclosed exposures

Nothing, except that the absence of a documented control environment becomes a price adjustment.

The asymmetry

The regulator's departure removes the obligation to make the assertion.

It removes nothing from the consequences of having made it.

For most companies the number of public non-financial assertions already in circulation — targets, commitments, product claims, supplier codes — is considerably larger than the number the CSRD ever required.

4. You are still in scope. What actually changed.

For the several thousand undertakings that remain within the CSRD, the operative changes are not principally about scope. They are about assurance, evidence and materiality, and they alter what a readiness programme should prioritise.

  1. Reasonable assurance is off the roadmap. Limited assurance is the permanent requirement and the escalation pathway is removed. Any internal programme sequenced towards reasonable assurance readiness should be re-based. The controls work retains its value; the destination has changed.

  2. The EU assurance standard is delayed. Adoption is postponed to no later than 1 July 2027, with alignment to ISSA 5000 anticipated. In the interim, ISSA 5000 becomes effective globally for periods beginning on or after 15 December 2026. Prepare to ISSA 5000.

  3. Datapoints fall; documentation rises. The amended ESRS reduce prescribed datapoints substantially and shift weight onto materiality judgement and documentation. Teams gain more from tightening the materiality determination and building a clean evidence trail than from pre-collecting every datapoint on an older list.

  4. Sector standards are gone. The requirement for sector-specific ESRS has been removed. Entity-specific disclosures now carry the weight that sector standards would have carried, which makes the materiality determination more consequential, not less.

  5. The value chain evidence boundary has moved. Protected undertakings below 1,000 employees may lawfully refuse requests exceeding the VSME standard. Your Scope 3 and supplier social data now rest on your own estimation controls, and your assurance provider must consider whether the data you did obtain was obtained in compliance with the cap.

  6. Transition plans are no longer mandatory under the CSDDD. The obligation to adopt and implement a Paris-compatible climate transition plan has been removed. Any transition plan you publish is now a voluntary forward-looking claim, with all that implies.

The revised readiness priorities

Rank

Priority

Why it moved

1

Evidence the double materiality determination: matters considered, matters rejected, evidence for each, approver, date

Fewer datapoints and no sector standards mean the materiality judgement carries more weight. ISSA 5000 requires the practitioner to evaluate whether material matters were overlooked.

2

Register value chain counterparties and identify protected undertakings

New obligation created by the cap. Your practitioner must consider whether data was lawfully obtained.

3

Document Scope 3 estimation methodology and disclose it as estimation

The corroboration boundary has moved inwards. Your estimation control is now the load-bearing evidence.

4

Build internal controls over sustainability reporting that operate during the period

Limited assurance will never test them. Nothing else will either, unless you do.

5

Substantiate every narrative assertion of progress or leadership

Narrative is within assurance scope and is the raw material of green claims enforcement.

6

Re-base the assurance roadmap; consider voluntary reasonable assurance on two or three priced metrics

The legislated escalation is gone. Voluntary escalation is now the only way to signal control maturity through the assurance report.

7

Collect the full ESRS datapoint set

Demoted. The amended ESRS cut datapoints significantly; over-collection against an obsolete list is now a common and expensive error.

THE SINGLE MOST USEFUL THING AN IN-SCOPE COMPANY CAN DO THIS YEAR

Not collect data. Minute a materiality decision. A dated record of which sustainability matters were considered, which were rejected, on what evidence, and by whom — approved by a body with the authority to approve it — is the artefact that ISSA 5000 requires and that almost no reporter can currently produce.

Questions this paper answers

What are the CSRD thresholds after Omnibus I?

The Omnibus I directive narrows CSRD scope to EU undertakings with more than 1,000 employees and more than €450 million in net turnover. Non-EU parent undertakings are in scope where they generate more than €450 million of net turnover in the EU and have either an EU subsidiary meeting the large-undertaking criteria or an EU branch generating more than €200 million. Listed SMEs are fully exempt. The revised scope applies for financial years beginning on or after 1 January 2027.

When did the Omnibus I directive take effect?

Directive (EU) 2026/470 was published in the Official Journal of the European Union on 26 February 2026, following adoption by the Council on 24 February 2026, and entered into force on 18 March 2026. Member States must transpose it by 19 March 2027. The European Parliament had approved the provisional agreement on 16 December 2025.

Is limited assurance still mandatory under the CSRD?

Yes. Limited assurance remains mandatory for entities within the narrowed scope, and Omnibus I confirms it as the permanent requirement rather than a transitional step. The legislated pathway to reasonable assurance has been removed. An EU-wide limited assurance standard is to be adopted no later than 1 July 2027, with alignment to ISSA 5000 anticipated.

What is the value chain cap?

The Omnibus I directive limits the sustainability information that a reporting company may request from undertakings in its value chain that employ fewer than 1,000 employees. These protected undertakings have a legal right to refuse requests exceeding the forthcoming voluntary standard for SMEs. Assurance providers must consider whether reported value chain data was obtained in compliance with the restriction.

Our company has fallen out of CSRD scope. Should we stop reporting?

Only if you can name every party currently relying on your non-financial disclosures, and none of them is a lender, an insurer, a strategic customer, an index provider or an acquirer. The regulatory obligation to make non-financial assertions has been withdrawn. The legal and commercial consequences of the assertions already in circulation — targets, commitments, product claims, supplier codes — have not. Continuing to report without assurance, on the same template, for reasons that no longer apply, is the position that maximises exposure.

What should an out-of-scope company report instead?

For most mid-market companies, reporting to the voluntary standard for SMEs is the correct default. The value chain cap means that in-scope customers cannot lawfully demand more than the VSME standard from a protected undertaking, so reporting to VSME converts an open-ended compliance exposure into a bounded one. Companies for which non-financial performance is a priced commercial asset should consider continuing full reporting with voluntary assurance, and should make the voluntary nature explicit.

What should an in-scope company prioritise now?

Evidencing the double materiality determination, because the amended ESRS cut datapoints and removed sector standards, placing more weight on the materiality judgement, and because ISSA 5000 requires the practitioner to evaluate whether material matters were overlooked. Then registering value chain counterparties to identify protected undertakings, documenting Scope 3 estimation methodology, and building controls over sustainability reporting that operate during the period rather than after it. Collecting the full ESRS datapoint set has been demoted; the amended standards cut datapoints significantly and over-collection against an obsolete list is now a common error.

Could CSRD scope widen again?

The Omnibus I directive includes review clauses requiring the Commission to periodically reassess the thresholds, both to adjust for inflation and to assess whether the revised scope produces sufficient sustainability information for EU users. Scope may therefore tighten again. A company that dismantles its reporting and control capability entirely will rebuild it at a premium and under time pressure.

References and sources

  • Directive (EU) 2026/470 (the Omnibus I directive), published in the Official Journal of the European Union on 26 February 2026; entered into force 18 March 2026; Member State transposition deadline 19 March 2027.

  • Council of the European Union, press release of 24 February 2026: Council signs off simplification of sustainability reporting and due diligence requirements.

  • Accountancy Europe, Omnibus explained: key changes to the CSRD and CSDDD, 2026 — confirming that limited assurance remains mandatory and that an EU limited assurance standard is to be adopted no later than 1 July 2027.

  • Directive (EU) 2025/794 (the "stop-the-clock" directive), postponing application of reporting requirements for Wave 2 and Wave 3 entities.

  • EFRAG, final technical advice to the European Commission on the amended ESRS, reducing prescribed datapoints and increasing the weight placed on materiality judgement and documentation.

  • IAASB, International Standard on Sustainability Assurance (ISSA) 5000, issued November 2024; effective for periods beginning on or after 15 December 2026.

  • European Commission recommendation on the Voluntary Sustainability Standard for micro, small and medium-sized enterprises (VSME); delegated act anticipated 2026.

  • Speeki, What ESG Report Assurance Actually Requires (Whitepaper Series 2, Paper 07), July 2026.

About Speeki

Speeki is an accredited ESG assurance and certification body operating in more than 100 countries. Speeki provides management system certification, verification and validation, and sustainability assurance. Speeki does not provide consulting services. Its independence is structural.

For current details of Speeki's accreditations and their scope, please refer to speeki.com.

© 2026 Speeki. This paper is provided for general information and does not constitute legal, accounting or assurance advice.