EU's Omnibus proposes major changes to corporate sustainability and due diligence

On 26 February 2025, the European Commission published its Omnibus Simplification package, which proposes to amend the Corporate Sustainability Reporting Directive (CSRD), the Corporate Sustainability Due Diligence Directive (CS3D) and the Carbon Border Adjustment Mechanism Regulation (CBAM). The Omnibus’ explanatory memorandum also denotes the intention to separately amend the European Sustainability Reporting Standards (ESRS) which provide the framework for reporting under CSRD. 

Despite its objective of simplification, the Omnibus has created at least a temporary degree of legal uncertainty, particularly as both CSRD and CS3D have already taken effect, with the first wave of companies required to report under CSRD during 2025 on the 2024 financial year. 

What the package entails

The Omnibus package included a proposal, commonly referred to as the “stop-the-clock” directive, to postpone certain implementation dates of the laws already in place, thereby allowing legislators time to renegotiate the substantive texts. The adoption of this directive was fast-tracked, and it came into effect on 17 April 2025, postponing the dates by which the second and third wave of companies are required to report under CSRD by two years (from 2026 to 2028 for “second wave” companies, and so forth) and some of CS3D’s deadlines.

Member States are required to transpose these postponements into national law by 31 December 20205. While most Member States have by now transposed CSRD into law, the European Commission had previously taken enforcement action against 17 Member States which missed the July 2024 transposition deadline. Those Member States which have not yet transposed CSRD would presumably now need to do so, in order to incorporate these postponed dates. In the meanwhile, many companies required by CSRD to report during 2025 in these non-compliant Member States remain unsure of the applicable legal position.

Aside from the dates, the substantive amendments proposed by the Omnibus remain subject to legislative negotiations, and until such time as amendments are enacted the existing requirements of CSRD and CS3D remain in place. The EU Presidency published its compromise text on the Omnibus’ substantive proposal 16 April 2025, and the debate is currently taking place in the EU Parliament. 

Key changes proposed by the Omnibus to CSRD - which requires reporting against a wide range of sustainability information points set out in the ESRS - include a significant increase in the thresholds that determine which companies are required to report. For example, the number of employees taken into account for EU companies would rise from 250 to 1000, and the turnover to be generated in the EU for non-EU companies to be caught would increase from €150 million to €450 million. These thresholds would align with those of CS3D, which were themselves significantly increased during the turbulent negotiations of the law currently in force.

The Omnibus also proposes to remove listed SMEs, as well as “first wave” companies, from the scope of CSRD. According to the European Commission, these changes would remove 80% of companies from CSRD’s existing scope. It is particularly noteworthy that this includes the first category of companies required to report under CSRD, which were previously required to report under CSRD’s predecessor, the EU Non-Financial Reporting Directive (NFRD). By the time Omnibus removes them from the scope of CSRD, many of these companies would have reported their sustainability information both under CSRD for at least a year, as well as for several preceding years under NFRD, which was adopted in 2014. Insofar as NFRD has been replaced by CSRD, these companies would - if Omnibus is adopted in its current form - eventually no longer have to report sustainability information, after they were the early adopters and leaders for several years. 

Human rights and environmental due diligence under scrutiny

The Omnibus seems to have generated its most heated debate, however, in the context of its proposed amendments to the mandatory human rights and environmental due diligence (mHREDD) requirements of CS3D. Some of these proposals include limiting the definition of “stakeholders”, no longer requiring companies to terminate business relationships under certain circumstances (although retaining the requirement to suspend such relationships) and reducing the frequency by which adequacy and effectiveness of due diligence process need to be monitored from annually to every five years. 

It would also remove the requirement on Member States to introduce a civil remedy, while retaining certain procedural provisions for claimants which rely on Member States’ national legal frameworks to seek redress. Controversially, it proposes to remove the “mandatory override provision” which determines the applicable law as that of the relevant Member States, rather than (per the Rome II Regulation) the jurisdiction where the harm occurred. As most third countries currently do not have equivalent mHREDD requirements, the removal of this provision may render the civil liability clause meaningless for parties who are adversely affected by EU companies outside of the EU. 

Two proposed amendments have drawn particular interest. Firstly, CS3D as currently enacted requires a two-phased approach to risk assessment: 

• The company is first required to undertake a risk mapping of its own operations, subsidiaries and its entire supply chain, to identify where the risks are most severe and likely. (The concepts of severity and likelihood are drawn the UN Guiding Principles on Business and Human Rights (UNGPs), and also reflected in the ESRS definition for assessing the company’s impact, as part of the “double materiality assessment”.)
• Thereafter, based on this risk mapping, the company is required to undertake in-depth assessments of those areas where the risks are most severe and likely. 

The Omnibus proposes to amend only this second phase, by requiring companies to continue to undertake in-depth risk assessments of their own operations, subsidiaries and direct business partners, and of indirect business partners where “plausible information” suggests that there may be risks. The current text of the CS3D does not distinguish between direct and indirect business partners for this purpose and original reports have criticised this proposal as ‘removing’ indirect suppliers (i.e. those beyond “tier one”) from the scope of the risk assessment. 

Implications

However, in practice there would be no significant difference from the current position: a company would in any event realistically base its decision on where to undertake in-depth risk assessments on information which seems plausible, even in relation to its own operations and direct suppliers. In its compromise text, the EU Presidency proposes to define “plausible information” as “information that objectively has a reasonable likelihood of being true”, explaining that this may include reports about the sector or region, produced by government, multilateral or industry bodies, academic studies or NGOs. 

Secondly, and perhaps most surprisingly, Omnibus proposes to add a unique new provision to both CS3D and CSRD. It would effectively prohibit companies from asking suppliers with less than 500 employees (or 1000 employees in the case of CSRD) questions that are not aligned with the Voluntary Reporting Standards for SMEs (VSME), which are to be introduced through Commission-delegated legislation. The caveat would be that companies may ask for ‘additional information’ if it is necessary to undertake risk mapping and where it “cannot reasonably be obtained by other means”. 

According to the explanatory memorandum, these provisions were added to reduce the burden on SMEs and “small midcap companies”, by “limiting information requests”. This appears to be a novel application given that the EU’s threshold for defining an SME refers to 250 employees. Moreover, this limitation is likely to increase the burden on in-scope companies, which would need to ensure that their questions are sufficiently comprehensive to identify the issues they need to address in their supply chains, while at the same time not exceeding the limits of the VSME standards.

This approach seems also to contradict the other EU supply chain laws, such as the EU Deforestation Regulation, which requires information on due diligence to individual plot level, and the EU Forced Labour Regulation, which will ban products made with forced labour regardless of whether by a direct or indirect supplier. To comply with these laws, companies would need the freedom to seek information deep into the supply chain, including from SMEs.