The European Parliament took a decisive step towards a new form of corporate sustainability regulation on 16 December 2025. By formally adopting the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD) the legislative process that was part of the package was completed Omnibus I. This step comes after a long period of legal uncertainty and brings fundamental changes aimed primarily at streamlining obligations and reducing administrative burden for European and global companies.

CSRD Reform: Higher Thresholds and Simplified Audit

One of the most significant changes under the revised CSRD is significant increase in threshold values, which determine which companies are subject to the reporting obligation. For entities from the European Union, the so-called „2nd wave“ of obligations will start from the financial year 2027. Now, only those companies that have more than 1,000 employees and their net turnover exceeds EUR 450 million.

For groups based outside the EU (under the "4th wave" from 2028), the conditions have been set as follows:

• They must achieve a net turnover within the EU of more than EUR 450 million in each of the last two financial years.
• At least one of their subsidiaries or branches in the EU must have a turnover of more than EUR 200 million.
• Interestingly, for these non-European groups it was completely employee number threshold removed.

In addition to changing the scope, the directive also brings relief in the area of auditing. The Commission has abandoned the adoption of standards for "reasonable assurance" and will instead issue standards for limited certainty, which auditors will have to apply. A significant exemption was also granted to financial holding companies, which do not perform management activities and hold shares only for investment purposes, thus avoiding unnecessary burdens in private equity structures.

Protecting the value chain and sensitive data

The new legislation introduces the so-called "value chain ceiling", which serves to protect smaller trading partners. Entities with fewer than 1,000 employees may decline to provide information beyond the voluntary standards. In addition, reporting companies may rely on simple self-declaration partners about their size without the need for further verification, unless it is clearly incorrect. At the same time, these companies are prohibited from requesting information from partners beyond the established limits.

An important aspect is also protection of sensitive information. Companies can withhold data the disclosure of which would endanger their trade secrets, intellectual property, security or harm their commercial interests. Last but not least, the Commission's power to adopt mandatory sectoral standards (ESRS) to replace the non-binding sectoral guidelines.

CSDDD: A new approach to due diligence

The CSDDD Directive has also undergone a fundamental transformation, with its thresholds set even higher than those of the CSRD. For EU companies, the employee threshold has been increased from 1,000 to 5 000 and the turnover threshold at EUR 1.5 billion. For non-European groups, the only condition is a net turnover in the EU of over EUR 1.5 billion, again regardless of the number of employees.

Key changes in the CSDDD include:

1. Cancellation of climate transition plans: To avoid duplication, companies no longer need to adopt a formal climate transition plan.
2. Risk-based approach: Companies need to conduct detailed mapping only if there is evidence of negative impacts, first conducting a broad assessment of the scope and only then conducting in-depth assessments in identified high-risk areas.
3. From suspension to termination: The previous „obligation to end“ relationships is changing to „"obligation to temporarily suspend"“ as a last resort. The company may waive the suspension if it would cause greater harm than the negative impact itself, but must justify this to the supervisory authority.

Legal liability and sanctions

In the area of law enforcement, the directive represents a significant step forward. The original plan for a harmonised civil liability regime across the EU has been abandoned. Infringements will be governed by the national regimes of each Member State, which simplifies enforcement but may lead to legal fragmentation. However, administrative sanctions are capped at 3 % of net worldwide turnover society.

Implementation schedule

Once it enters into force (20 days after publication in the Official Journal of the EU), Member States will have 12 months for transposition into national law. Specifically for the CSDDD, states must adopt legislation within July 26, 2028. The companies themselves must comply with the rules by 26 July 2029 and disclose the first necessary information by January 1, 2030.

These changes represent a pragmatic shift in European legislation, where the emphasis is shifting from the quantity of reported data to its quality and the management of real risks, while taking into account the competitiveness of European businesses in a global context. JRi