Understanding the EU’s Corporate Sustainability Reporting Directive (CSRD) and Corporate Sustainability Due Diligence Directive (CS3D/CSDDD)

EU sustainability regulation is no longer a distant horizon. The first companies are already applying the Corporate Sustainability Reporting Directive (CSRD) for their 2024 financial year, with reports due in 2025, according to the European Commission's official guidance. At the same time, the Corporate Sustainability Due Diligence Directive (CS3D or CSDDD) entered into force in July 2024 and will be transposed into national law over the next few years, creating binding human rights and environmental due diligence duties across global value chains.

Executive Summary

The EU is tightening expectations for how companies report on sustainability and manage risks in their value chains. Two pillars define this shift. CSRD sets a detailed reporting regime that requires thousands of companies to disclose strategy, governance, metrics and targets under a double materiality lens using ESRS standards. CS3D establishes a binding duty to identify, prevent, mitigate and remediate human rights and environmental harms across operations, subsidiaries and relevant business partners.

The Omnibus I Directive (EU) 2026/470, formally adopted by the Council of the European Union on 24 February 2026 and published in the Official Journal on 26 February 2026, has now settled the scope and obligations for both directives. The Omnibus narrowed the number of companies subject to CSRD and CS3D, simplified ESRS reporting requirements, removed the CS3D climate transition plan obligation, and eliminated the EU harmonised civil liability regime. These are material changes, but both directives still create a durable baseline for credible sustainability data, integrated risk management and transparent climate planning that investors and regulators will expect regardless of the reduced formal scope.

For leaders, the real task is to build systems that withstand regulatory evolution and link disclosure with due diligence. That means treating ESRS as a coherent data model, strengthening controls and assurance, aligning financial and sustainability planning, and designing value chain due diligence that focuses on real risks instead of paperwork. Companies that integrate CSRD and CS3D into one operating model, supported by standard processes for risk assessment, supplier engagement and grievance handling, will be better placed by the time CS3D obligations apply in July 2029. The firms that move beyond minimum compliance and use the directives to refine strategy, investment and stakeholder engagement will have a clearer narrative for capital markets and stronger resilience across their global activities.

Understanding the EU’s CSRD and CS3D: how to turn regulation into strategy in 2026

The Omnibus I package moved from a Commission proposal in February 2025 through trilogue negotiations, a provisional agreement in December 2025, European Parliament endorsement on 16 December 2025, and final Council adoption on 24 February 2026. The Directive enters into force on 18 March 2026. Member States must transpose the CSRD-related provisions by 19 March 2027 and the CS3D-related provisions by 26 July 2028.

The final text went further than the Commission's original proposal. Where the Commission had suggested keeping CS3D's employee threshold at 1,000, co-legislators raised it to 5,000. Where the Commission proposed focusing due diligence assessment on direct business partners, the final text preserved a risk-based approach across the full chain of activities. And where the original CS3D required companies to adopt and implement a climate transition plan, that obligation was removed entirely. These are not minor adjustments. They reshape who is in scope, what they must do, and how national transposition will unfold.

For boards and executives, the question is not simply how to "comply," but how to build reporting and due diligence systems that remain robust through further revisions and are credible in front of European regulators, capital markets, and NGOs. The Omnibus includes review clauses for both CSRD and CS3D, meaning scope could tighten again after April 2031 when the Commission reports to Parliament and Council on whether CSRD coverage should be extended. Given this landscape, three themes matter most. Companies need to understand what CSRD now asks them to publish under the simplified ESRS, how CS3D redefines responsibility for impacts in the value chain under the final adopted text, and where to invest in capabilities that can survive a decade of regulatory updates without constant redesign.

Why CSRD has become the anchor of EU sustainability reporting

Why CSRD remains the anchor of EU sustainability reporting is best understood by looking at its revised scope and its level of detail. Under the adopted Omnibus, CSRD now applies to EU entities with more than 1,000 employees and above 450 million euros in annual net turnover, a significant increase from the original 250-employee threshold. For non-EU groups, the updated requirements apply only to companies with annual net turnover above 450 million euros for the parent undertaking within the EU and above 200 million euros generated turnover for the subsidiary or branch. The Commission estimates the scope reduction removes around 80 percent of previously covered companies.

CSRD requires these companies to report, using European Sustainability Reporting Standards (ESRS), on strategy, governance, policies, targets, metrics, and due diligence processes across a wide set of environmental, social, and governance topics, all under a "double materiality" lens. That lens covers both how sustainability issues affect the company and how the company impacts people and the environment. The Omnibus preserved the double materiality principle.

The ESRS themselves are being substantially simplified. The Commission must adopt a delegated act containing revised ESRS by 18 September 2026, based on technical advice from EFRAG. Data points are expected to be reduced from roughly 1,073 to around 320, a cut of approximately 70 percent. Sector-specific standards have been removed. Assurance requirements will remain at limited assurance only, with no transition to reasonable assurance as originally planned.

Public interest entities with more than 500 employees, previously reporting under the Non-Financial Reporting Directive, are reporting on 2024 data in 2025. However, the Omnibus provides Member States with the option to exempt "wave one" companies that now fall outside the revised scope thresholds from reporting obligations for financial years 2025 and 2026. Wave two companies that remain in scope will first report in 2028 in respect of the financial year starting on or after 1 January 2027. Even with the reduced scope, the first wave of reports will shape investor expectations for the entire EU market and for international groups that rely on European funding.

There is also a new value chain cap: companies subject to CSRD are limited in the information they can request from smaller undertakings with fewer than 1,000 employees in their value chain. Those smaller companies can refuse to provide reporting information beyond what is outlined in the voluntary sustainability reporting standard for SMEs (VSME), which the Commission is expected to publish by June 2026.

Concrete examples show how leading companies are already aligning their reporting architecture with CSRD logic, even before the simplified standards are finalised. RWE, the German energy group, has used its Sustainability Strategy Report and related materiality work to prepare for CSRD, updating its analysis of environmental, social, and governance topics in 2022 and 2023 using the CSRD topic catalogue and a stakeholder survey to identify priority issues and double materiality. In 2025, RWE published a Supplementary Sustainability Report 2024 that bridges its Annual Report with additional sustainability topics, explicitly structured around the output of its double materiality assessment. This approach does not guarantee perfect CSRD compliance, but it illustrates what it looks like to integrate double materiality into mainstream corporate reporting rather than treating it as an external add-on.

For companies that are only now mobilising, three CSRD capabilities deserve priority because they are difficult to retrofit later.

First, companies should treat the ESRS as a data model, not only a disclosure checklist, by defining a single enterprise view of metrics, calculation methods, and data owners for climate, pollution, water, workers, and governance topics. The simplified ESRS will reduce the number of data points, but the underlying data architecture still needs to be coherent and auditable.

Second, companies should align internal controls for sustainability data with financial reporting standards, including documented processes, clear second-line review, and early engagement with assurance providers. Under the adopted Omnibus, limited assurance is the standard. Companies should prepare for that level now rather than waiting.

Third, companies should connect sustainability disclosures with financial planning and risk management, for example by ensuring that transition plan assumptions, carbon prices, and capex figures reconcile with the business plan and the financial statements.

In our experience, CSRD programs often fail when they are scoped as a one-time reporting exercise instead of a long-term change in how the organisation uses data to manage risk and allocate capital. The most resilient implementations treat CSRD as a catalyst to rationalise ESG data systems and embed sustainability scenarios into core planning cycles, rather than a parallel stream owned only by a sustainability team.

Priority 2: design CS3D due diligence that actually works in the value chain

If CSRD defines what you need to disclose, the Corporate Sustainability Due Diligence Directive (CS3D or CSDDD) sets expectations for how you run due diligence in practice across your value chain. CS3D entered into force in July 2024, and the adopted Omnibus has now settled its final scope and obligations. Member States must transpose the amended CS3D by 26 July 2028, and in-scope companies must comply from 26 July 2029, on a single application date rather than the previously planned phased approach.

Under the final text, CS3D applies to EU companies with more than 5,000 employees and above 1.5 billion euros in net worldwide turnover. Non-EU companies with EU net turnover above 1.5 billion euros are also in scope. These thresholds are assessed on a standalone or consolidated basis.

Companies in scope must identify, prevent, mitigate and, where needed, remediate adverse human rights and environmental impacts. The final text preserves and further defines a risk-based approach to identifying and assessing adverse impacts across a company's broader value chain, including all business partners within the "chain of activities." This is significant: proposals during negotiations to fundamentally limit due diligence to direct suppliers were rejected. However, companies can focus their assessment on areas where actual and potential adverse impacts are most likely to occur, and where equally severe impacts exist in multiple areas, they have flexibility in how they prioritise.

Three major obligations from the original CS3D were removed or changed in the final Omnibus:

The climate transition plan requirement was deleted in its entirety. Companies are no longer required under CS3D to adopt and implement a transition plan for climate change mitigation. However, CSRD still requires companies to disclose a transition plan if one exists. The practical result is that having a transition plan is no longer legally mandatory under CS3D, but companies that do have one must disclose it under CSRD, and investors, lenders, and capital markets will continue to expect one.

The EU harmonised civil liability regime was removed. Companies will be liable at a national level for failure to apply the rules correctly, with penalties capped at 3 percent of net worldwide turnover. The Commission will issue guidelines on penalties.

The harmonisation requirement for Member State transposition was expanded, now covering CS3D obligations related to prioritisation, monitoring due diligence measures, and reporting. However, Member States retain room to adopt additional due diligence obligations for specific products, services, or situations. Monitoring national transposition will therefore remain important.

For practical purposes, senior teams should not treat the Omnibus changes as a reason to pause. The core due diligence duty is law, and national regimes in Germany, France and Norway already require similar behaviour. A useful way to operationalise CS3D is to treat those national laws as a live test bed and to build a group-wide model that can absorb both current and future EU requirements.

The German Supply Chain Act (LkSG) illustrates both the value and the flux of this approach. The law, in force since January 2023, requires companies with at least 1,000 employees in Germany to implement a risk management system for human rights and environmental risks, run regular risk analysis, operate complaint channels and publish reports. However, the regulatory landscape for the LkSG is shifting rapidly. The German coalition agreement of April 2025 announced the intention to repeal the LkSG and replace it with legislation implementing the CSDDD.

In September 2025, the Federal Cabinet approved a draft amendment abolishing the LkSG's reporting obligation and reducing sanctions to cover only serious violations. BAFA, the enforcement authority, has suspended review of corporate reports and indicated it will only impose fines for particularly serious breaches. The LkSG is expected to remain in effect in reduced form until it is formally replaced by Germany's CSDDD transposition law, which must be adopted by July 2028.

RWE, the German energy group, responded to the LkSG by rolling out a structured training program for suppliers setting out the law's scope, the nine due diligence obligations and the expectation that all RWE suppliers, regardless of geography, implement measures to prevent human rights and environmental violations and accept audits and information requests. Companies that built these systems under LkSG should maintain them; they form a foundation for CS3D compliance.

In France, the Duty of Vigilance law requires large companies to publish vigilance plans that identify and prevent serious risks to human rights, health, safety and the environment across their operations and value chains. The litigation against Danone over plastic use under this law, and the settlement announced in February 2025, show how these obligations translate into concrete commitments. Danone agreed to reinforce its vigilance plan on plastic-related risks, strengthen prevention measures, publish its plastic footprint and hold annual meetings with NGOs until 2027, in exchange for the NGOs withdrawing their court action.

For CS3D readiness, these precedents suggest a few immediate priorities that go beyond policy updates. A practical CS3D program typically focuses on the following building blocks:

• Map the "chain of activities" and existing controls so you know where human rights and environmental risks sit, which suppliers and business partners are already under some form of due diligence, and where there are blind spots.

• Design a group-level risk methodology that works across CSRD, CS3D and national laws, using consistent severity and likelihood scales, so that risk-based prioritisation is defensible to regulators and investors.

• Rebuild supplier engagement around risk, not only coverage, combining contractual clauses, audit or assurance where it genuinely adds value, and targeted capacity building for higher-risk partners. Note that under the adopted Omnibus, CS3D-covered companies should rely primarily on reasonably available information rather than systematically requesting data from smaller value chain companies.

• Align grievance and whistleblowing channels with CS3D expectations, including access for external stakeholders and clear processes for feedback and remediation.

Our work with clients shows that CS3D often fails when it is treated purely as a legal drafting exercise. Companies that start instead with a real view of value chain risks, and that involve procurement, operations and sustainability teams from the outset, tend to land on due diligence that both satisfies counsel and supports commercial strategy.

Priority 3: integrate CSRD and CS3D into one operating model

The most efficient approach is to treat CSRD and CS3D as two sides of the same system. CSRD sets detailed disclosure requirements, including due diligence information in several ESRS social and governance standards. CS3D requires an underlying process for identifying and managing impacts, and will itself involve annual reporting. Under the adopted Omnibus, the obligation for CS3D-covered entities to publish an annual statement on sustainability due diligence matters begins for financial years starting on or after 1 January 2030.

A pragmatic integrated model usually has three features. First, companies should run one central sustainability risk and reporting office that owns CSRD scoping, ESRS interpretations, CS3D policy and the mapping of national due diligence laws. Legal and finance stay closely involved, but sustainability is accountable for coherence. Second, companies should define standard global processes for risk assessment, escalation and remediation, and then adapt them to local legal nuances, rather than letting each jurisdiction invent its own approach. This is especially important now that the Omnibus has expanded the harmonisation requirements for CS3D transposition while still allowing Member State variations. Third, they should ensure data flows both ways. Due diligence findings should inform CSRD metrics and narrative, while CSRD disclosures help focus CS3D efforts on the most material issues and supply chain segments.

Given the finalised but still operationally complex landscape, an external partner can help pressure test this operating model, benchmark it against peers and stress test it against the simplified ESRS (expected by September 2026) and national transposition approaches in key EU markets. The goal is not a perfect blueprint, but a resilient structure that can absorb changes without constant redesign.

What “good” looks like by 2029

By the time in-scope companies must comply with CS3D in July 2029, and as CSRD reporting cycles extend to more companies, boards and executives will want confidence that their program is more than compliant on paper. Based on the adopted Omnibus and national practice to date, a credible posture typically includes:

• CSRD reports that investors and auditors view as consistent and decision-useful, with clear explanations of double materiality, robust treatment of climate, and a transparent account of limitations, prepared under the simplified ESRS and subject to limited assurance.

• A documented CS3D due diligence process that can be explained in plain language to regulators, NGOs and affected communities, including how the company prioritises risks when it cannot address everything at once, consistent with the risk-based approach confirmed in the final Omnibus text.

• Evidence that national laws such as the German Supply Chain Act (in its transitional form pending CSDDD transposition) and the French Duty of Vigilance are embedded in procurement, operations and M&A processes, not only in corporate policies.

  
  

A climate transition plan, even though it is no longer legally required under CS3D, that aligns with CSRD climate disclosures and investor expectations, with clear levers, investment assumptions and links to executive oversight. The removal of the CS3D mandate does not eliminate the market expectation. Banks, investors, and asset managers continue to require transition plan data under their own regulatory frameworks, including the Capital Requirements Directive and EU Green Bond Standard.

For many multinationals, the final differentiator will be how they engage stakeholders. The CS3D text and related commentary emphasise meaningful dialogue with workers, communities and civil society, and several recent cases in France and Germany show that litigation and NGO strategy are evolving. Companies that learn to work with, rather than simply manage, these actors will often find that they surface risks earlier and build trust that goes beyond minimal compliance.

Conclusion: from compliance project to strategic capability

CSRD and CS3D are often discussed as two regulatory headaches made lighter by the Omnibus. In reality, the Omnibus clarified scope and simplified reporting, but it did not remove the underlying expectation that large companies maintain credible sustainability data and effective value chain due diligence. The review clauses built into the adopted text mean that scope could expand again after 2031. Companies that treat the current narrower scope as a reason to stand down rather than build capability are likely to find themselves scrambling when the next cycle arrives.

For organisations that want to move beyond minimum compliance, the most effective starting point is usually a targeted diagnostic of data, governance, legal exposure and value chain risk, followed by a realistic multiyear roadmap that reflects internal capacity and the adopted timelines: simplified ESRS by September 2026, national CSRD transposition by March 2027, CS3D transposition by July 2028, and CS3D application from July 2029.

Written by: Gasilov Group Editorial Team

Reviewed by: Arif Gasilov, Partner, Climate & Environmental Reporting​

Leads CSRD and ESRS alignment, double materiality assessments, emissions baselining, and climate risk mapping, with hands-on experience across corporate and public sector sustainability engagements in North America and Europe.

Meet Our Team →

Frequently Asked Questions (FAQ):

What is the key difference between CSRD and CS3D for companies active in the EU?

The Corporate Sustainability Reporting Directive (CSRD) focuses on what companies report. It expands non-financial reporting obligations and requires large EU and some non-EU companies to disclose sustainability information using European Sustainability Reporting Standards, including double materiality analysis and limited assurance.

The Corporate Sustainability Due Diligence Directive (CS3D) focuses on how companies manage impacts. It creates a due diligence duty to identify, prevent, mitigate and remediate adverse human rights and environmental impacts in own operations, subsidiaries and certain value chain partners. Under the adopted Omnibus, the CS3D climate transition plan obligation was removed, though CSRD still requires disclosure of a transition plan if one exists.

In practice, CSRD is about data and disclosure, while CS3D is about risk management, governance and stakeholder processes. The two overlap, and companies benefit from designing one integrated system.

How will CS3D apply to non-EU multinationals that only have subsidiaries or sales in Europe?

Under the adopted Omnibus, non-EU companies come into scope of CS3D if they generate more than 1.5 billion euros of net turnover in the EU, assessed on a consolidated basis for non-EU ultimate parent companies. This is a significant increase from the 450 million euro threshold in the original Directive.

The CS3D transposition deadline is now 26 July 2028, with application from 26 July 2029 on a single date for all in-scope companies. Non-EU groups should monitor transposition in the Member States where they are most exposed, but as a risk management matter many are already extending CS3D-style due diligence across global operations because investors and lenders treat EU standards as a reference point. The harmonisation provisions in the final text reduce but do not eliminate the risk of divergent national approaches.

How do German and French supply chain laws interact with CS3D and CSRD?

Germany's Supply Chain Act (LkSG) and France's Duty of Vigilance law are national predecessors to CS3D. The LkSG, in force since January 2023, requires large companies with operations in Germany to implement risk management, complaints mechanisms and reporting. However, the German government has announced the intention to repeal the LkSG and replace it with legislation implementing the CSDDD. The LkSG's reporting obligation is in the process of being abolished, BAFA has suspended report reviews, and fines are now limited to serious violations. The LkSG is expected to remain in reduced effect until Germany adopts its CSDDD transposition law by July 2028.

France's Duty of Vigilance law requires large companies headquartered in France to publish annual vigilance plans that address serious risks across their full value chains, and has already led to litigation on topics such as plastic use and labour rights.

CS3D is intended to harmonise these types of obligations at EU level. The adopted Omnibus expanded the harmonisation requirements, though Member States retain room for additional obligations in specific areas. Companies operating in Germany and France will typically design a group-level due diligence process that meets the highest common denominator, then use CSRD reports to explain how that process works and what it is achieving.

What are the first concrete steps to prepare for CS3D due diligence across the value chain?

Most companies begin by running a focused scoping and gap assessment. That includes checking whether the group meets the revised CS3D thresholds (5,000 employees and 1.5 billion euros turnover for EU companies, or 1.5 billion euros EU turnover for non-EU companies), mapping relevant entities and value chain segments, and comparing existing human rights and environmental due diligence against the final Directive requirements and national laws.

Next, they typically:

1. Build or refine a group-wide risk methodology and heatmap that covers own operations and business partners, consistent with the risk-based approach confirmed in the adopted Omnibus.

2. Establish or update grievance mechanisms so they are accessible to affected stakeholders and aligned with CS3D expectations.

3. Review supplier codes, contracts and audit programs so they support risk-based prioritisation rather than blanket questionnaires. Under the final text, companies should rely primarily on reasonably available information rather than systematically requesting data from smaller value chain companies.

4. Define a clear internal governance structure, including board oversight and cross-functional teams, to own CS3D implementation.

These steps are usually sequenced with CSRD projects so that data, materiality analysis and narrative disclosures support due diligence design and vice versa. The Commission is required to adopt CS3D guidelines by July 2027, which will provide more concrete guidance on operationalising compliance.

How should companies link due diligence with climate transition plans and CSRD climate reporting?

The relationship between CS3D and climate transition plans changed significantly under the adopted Omnibus. The CS3D obligation for in-scope companies to adopt and implement a climate transition plan was removed entirely. However, CSRD still requires companies to disclose a transition plan if one exists, and several sector-specific regulations continue to require transition plans independently.

In practice, this means companies still need transition plans, even though CS3D no longer mandates them. Banks are required to consider short-, medium- and long-term ESG risks under the Capital Requirements Directive. Green bonds require transition plans. Investors and asset managers continue to demand transition plan data for portfolio alignment and stewardship purposes.

Companies will often:

• Use CSRD climate scenarios and Scope 1, 2 and 3 data to identify transition and physical climate risks that inform their broader due diligence process.

• Maintain a climate transition plan voluntarily and disclose it through CSRD, ensuring it is integrated into overall risk management and strategy with clear links to capital allocation and executive oversight.

• Avoid creating divergent narratives across different reports and regulatory submissions by anchoring all climate-related disclosures and due diligence in a single, coherent transition planning framework.