Complete guide to CSRD reporting in 2026

TL;DR

‍

The Omnibus I Directive (24 February 2026) has fundamentally narrowed who must report under CSRD. Only companies with more than 1,000 employees AND more than €450 million in annual turnover are now required to report. The ESRS have been simplified by 61% in mandatory datapoints (71% including voluntary datapoints). The first mandatory CSRD report is due in 2028, covering FY2027 data. A new value chain cap legally protects smaller companies from excessive data requests.

‍

What is CSRD?

The Corporate Sustainability Reporting Directive (CSRD) is the EU's framework for mandatory sustainability reporting. It requires qualifying companies to disclose structured, verifiable ESG data in line with the European Sustainability Reporting Standards (ESRS).

‍

The goal is clear: give investors, regulators, customers, and other stakeholders the information they need to assess a company's sustainability performance, risks, and long-term resilience in a format that's consistent, comparable, and trustworthy.

‍

It builds on the Non-Financial Reporting Directive (NFRD), which previously applied to roughly 11,600 large public-interest companies.

‍

What changed with the Omnibus I Directive (February 2026)?

The Omnibus I Directive, adopted on 24 February 2026, is the most consequential update to CSRD since its introduction. Here's what changed and what it means in practice.

‍

Does CSRD apply to you?

Mandatory CSRD reporting now applies only to companies that exceed both of the following thresholds:

‍

  • More than 1,000 employees on average during the financial year
  • Net annual turnover above €450 million

This is a significant narrowing. The number of companies subject to mandatory sustainability reporting in the EU is expected to drop from approximately 45,000 to around 10,000 β€” a reduction of roughly 80%.

If your company is below 1,000 employees, mandatory CSRD does not apply, regardless of turnover.

‍

For non-EU companies, mandatory reporting applies if they generate more than €450 million in EU revenue, with subsidiary or branch thresholds set at €200 million.

‍

What about wave 1 companies?

Companies already required to report under NFRD (wave 1, from FY2024) remain in scope through FY2026. From FY2027 onward, only companies meeting the new Omnibus I thresholds are required to report. Member States may also exempt smaller wave 1 companies for FY2025 and FY2026.

‍

Simplified ESRS: fewer datapoints, not a free pass

On 3 December 2025, EFRAG published the amended ESRS, approved by the EFRAG Sustainability Reporting Board on 28 November 2025. The reduction in mandatory datapoints is significant. Including voluntary ('may') datapoints β€” which have been entirely eliminated β€” the overall reduction reaches 71%.

Simplified ESRS: fewer data points

What does that actually mean for reporting costs?

Fewer datapoints don't translate proportionately into less effort. According to EFRAG's cost-benefit analysis, the amended ESRS are expected to deliver overall savings of approximately 34–44% in total reporting cost compared to the original ESRS β€” once you factor in datapoint reduction, new reliefs, and simplified processes, as well as indirect savings across the value chain.

‍

The biggest cost drivers under the original ESRS? Interpreting the standards (68% of wave 1 companies flagged this as a top challenge), value chain data collection, and the double materiality assessment. The amended ESRS directly address all three.

‍

Key structural improvements in the simplified ESRS:

  • IROs to PAT traceability: the connection between Impacts, Risks, and Opportunities (IROs) and Policies, Actions, and Targets (PAT) is cleaner. The confusing many-to-many logic between ESRS 2 and topical standards has been resolved. PAT requirements are now centralised in ESRS 2 as General Disclosure Requirements (GDRs, formerly MDRs).
  • Fair presentation framework: the simplified ESRS explicitly establishes ESRS as a fair presentation framework, aligned with IFRS S1 and S2. Companies are not required to report information that is not material.
  • No more voluntary datapoints: all 270 voluntary ('may') datapoints have been eliminated. The mandatory/non-mandatory distinction is now clear.
  • Executive summary option: companies can include an executive summary at the beginning of their sustainability statement.
  • New reliefs: including "undue cost or effort" for metrics calculations, relief for partial scope reporting when data is unavailable, relief for newly acquired or disposed subsidiaries, and elimination of the preference for direct over estimated data in value chain reporting.

Sector-specific ESRS standards: removed

The Omnibus I Directive removes the Commission's empowerment to adopt sector-specific ESRS. Entity-specific disclosures are expected to capture sector-relevant information instead.

‍

The CSRD reporting deadline: 2028

The first mandatory CSRD report under the simplified ESRS is due in 2028, covering FY2027 data. This applies to all companies in scope under the new Omnibus I thresholds.

‍

For wave 1 companies still in scope, quick-fix phasing-in provisions are confirmed through FY2026. An additional phasing-in until 2029 is granted for quantitative information on anticipated financial effects and substances of concern.

‍

Updated assurance requirements

Limited assurance remains the standard. The Commission will adopt harmonised limited assurance standards by 1 July 2027. The previous requirement to move to reasonable assurance has been removed.

‍

One practical note: under the original ESRS, the absence of EU-level assurance guidance led to inconsistent, often conservative audit practices, with internal assurance support costs adding 15–25% on top of external auditor fees. Harmonised standards should help contain this.

‍

Who needs to comply with CSRD?

If your company exceeds both 1,000 employees and €450M in annual net turnover, CSRD applies to you.

Below either threshold? You're out of mandatory scope.

‍

Companies outside mandatory scope are not without options. The VSME (Voluntary Sustainability Reporting Standard for SMEs) is available and increasingly expected by banks, investors, and supply chain partners. Under the new value chain cap, the VSME also defines the maximum ESG information that can be requested from your company by larger supply chain partners.

‍

What must be in your CSRD report?

A CSRD-compliant sustainability statement must cover the following.

‍

1. Double materiality assessment (DMA): the mandatory starting point. The DMA identifies which ESG topics are material from two perspectives: how your company impacts people and the environment (impact materiality), and how ESG risks and opportunities affect your business financially (financial materiality). Both perspectives are required.

‍

2. ESG disclosures across material topics: quantifiable data covering carbon emissions (Scope 1, 2, and where material, Scope 3), energy usage, water and resource management, workforce and social policies, governance structures, risk management, and supply chain sustainability β€” but only for the topics identified as material in your DMA.

‍

3. IRO to PAT traceability: your report must show a clear, traceable connection between the Impacts, Risks, and Opportunities (IROs) you've identified and the Policies, Actions, and Targets (PAT) your company has put in place. Under the simplified ESRS, you only need to disclose PAT you have actually adopted. No requirement to explain why you haven't adopted a PAT for a material topic.

‍

4. Anticipated financial effects (AFE): quantitative disclosure is the default from FY2029 onward, with meaningful reliefs β€” companies may omit quantitative disclosures where effects are not separately identifiable, where measurement uncertainty is too high, or where the company lacks the resources to produce a reliable analysis. In those cases, qualitative explanation is required.

‍

5. Limited assurance: CSRD reports must be reviewed by an approved auditor providing limited assurance on compliance with ESRS requirements.

‍

6. Machine-readable format: CSRD reports must be prepared in XHTML. Until the relevant mark-up rules are formally adopted, companies are not required to mark up their sustainability reporting.

‍

What changed in the double materiality assessment?

The DMA is still the mandatory foundation of every CSRD report. What changed is both the process and the philosophy. Read the Double Materiality Assessment guide for the details.

‍

A well-executed DMA reveals blind spots, surfaces strategic opportunities, and gives leadership a clear view of where sustainability risk and value are concentrated. It's not just a compliance exercise, it's the foundation of a credible sustainability strategy.

‍

The value chain cap: new legal protection for smaller companies

One of the most important changes introduced by Omnibus I is the value chain cap. Large companies subject to CSRD cannot require their suppliers or value chain partners with fewer than 1,000 employees to provide ESG information beyond what the VSME voluntary standard specifies. Any contractual provision that tries to override this is legally void.

‍

This cap is embedded directly in the amended ESRS 1.

‍

In practice:

‍

  • Large companies must work within the limits of the VSME when collecting supply chain sustainability data. Their auditors must respect those limits too.
  • Companies with fewer than 1,000 employees have a statutory right to refuse data requests that exceed the VSME.
  • If supply chain data isn't available, companies can use estimates alongside directly collected data. The simplified ESRS removes the previous preference for direct data over estimates.
  • For the first three years of reporting, if value chain data is unavailable, companies must explain what efforts were made and what plans exist to obtain the information in future.

How to prepare for CSRD: your roadmap to 2028

Waiting feels logical. It isn't.

‍

According to the EFRAG cost-benefit analysis, wave 1 companies that front-loaded their reporting infrastructure reported significantly lower recurring costs than those that relied heavily on phase-ins. The same pattern is expected for wave 2 companies. Starting now doesn't mean doing everything, it means building the foundation that makes 2028 manageable.

How to prepare for CSRD in 2028

‍

Now (2026):

  • Confirm whether your company is in scope under the new Omnibus I thresholds (more than 1,000 employees AND more than €450M turnover)
  • Conduct or update your double materiality assessment using the simplified top-down approach
  • Run a fit gap analysis against the simplified ESRS to identify your most significant data gaps
  • If you are a wave 1 company still in scope, note that quick-fix phasing-ins are confirmed through FY2026

2027:

  • Set up your ESG data collection infrastructure for FY2026 data
  • Produce an internal CSRD report on FY2026 data as a dry run and pre-assurance preparation
  • Engage with your auditor early, ahead of the 1 July 2027 deadline for harmonised limited assurance standards

2028:

  • Collect FY2027 data
  • Publish your first mandatory CSRD sustainability statement with limited assurance

How to complete your CSRD report with Karomia

Completing a CSRD sustainability statement is a significant undertaking. Karomia's AI-powered ESG reporting platform helps you get the job done pragmatically and painlessly.

‍

Step 1: Upload your double materiality assessment results

Upload your double materiality assessment results
Type image caption here (optional)

If you've conducted your DMA through the Karomia platform, select the relevant assessment from the dropdown. This gives the AI the structured inputs it needs to generate your CSRD report accurately.

If you conducted your DMA outside Karomia, you'll be prompted to select all sub-topics identified as material. Karomia structures and aligns these inputs with ESRS requirements automatically.

‍

Step 2: Upload your ESG documents

Upload your ESG documents

To maximise the data filled by Karomia's AI, upload all relevant sustainability documents β€” environmental reports, social policies, governance documents, and supporting materials. Avoid outdated or duplicate files. They slow down analysis and increase manual review time.

‍

Step 3: Review the AI output and complete your report

Fit gap assessment

Based on your uploaded data, Karomia's AI generates initial answers, flags missing datapoints, and suggests disclosures. This fit gap assessment is built directly into the reporting workflow. Start by reviewing all datapoints marked as incomplete, use Karomia's AI assistant to fill gaps, and mark each disclosure as validated once it's complete. You can assign tasks and track progress across your team directly in the platform.

‍

Step 4: Generate your CSRD report for publication

CSRD report comply with the amended ESRS

‍

Once all datapoints are validated, Karomia generates your final CSRD sustainability statement, structured and formatted in line with the updated ESRS requirements. The report compiles all disclosures into a clear, compliant document with structured text and tables, no redundancies, full traceability.

‍

Frequently asked questions

What is CSRD?

The Corporate Sustainability Reporting Directive (CSRD) is the EU's framework for mandatory sustainability reporting. It requires qualifying companies to disclose ESG information in line with the ESRS, covering governance, strategy, impacts, risks, and opportunities.

‍

Who must comply with CSRD in 2026?

Following the Omnibus I Directive (February 2026), only companies with more than 1,000 employees AND more than €450 million in annual net turnover are subject to mandatory CSRD reporting. This brings the number of companies in scope from approximately 45,000 down to around 10,000.

‍

What is the CSRD reporting deadline?

For companies in scope under the new Omnibus I thresholds, the first mandatory CSRD report is due in 2028, covering FY2027 data.

‍

What is a double materiality assessment under CSRD?

A DMA is the mandatory starting point for CSRD reporting. It identifies which ESG topics are material from two perspectives: impact materiality (how your company affects people and the environment) and financial materiality (how ESG risks and opportunities affect your business). The simplified DMA now allows a top-down approach starting from the business model, rather than scoring all ESRS topics from scratch.

‍

How many ESRS datapoints are required under CSRD?

Under the simplified ESRS, there are 314 mandatory ('shall') datapoints in total, down from 803 β€” a 61% reduction. All 270 voluntary ('may') datapoints have been eliminated. Only datapoints relating to topics identified as material in your DMA are required.

‍

Does CSRD require third-party assurance?

Yes. CSRD reports require limited assurance from an approved auditor. The Commission will adopt harmonised limited assurance standards by 1 July 2027. The previous requirement to move to reasonable assurance has been removed.

‍

What is the CSRD value chain cap?

The value chain cap prohibits large CSRD-reporting companies from requesting more ESG information from their suppliers than the VSME voluntary standard specifies. Companies with fewer than 1,000 employees have a statutory right to refuse requests exceeding these limits. This cap is now embedded directly in ESRS 1.

‍

What are the new reliefs in the simplified ESRS?

The simplified ESRS introduces several important reliefs: "undue cost or effort" for metrics calculations (including own operations); partial scope reporting when full data isn't available; relief for newly acquired or disposed subsidiaries; elimination of the preference for direct over estimated value chain data; exclusion of joint operations from environmental metrics where no operational control exists; and flexibility in anticipated financial effects disclosure. Wave 1 companies also receive additional phasing-in until 2029 for quantitative anticipated financial effects and substances of concern disclosures.

‍

Does CSRD apply to non-EU companies?

Yes. Non-EU companies generating more than €450 million in annual EU revenue are subject to CSRD reporting requirements, with subsidiary or branch thresholds set at €200 million.

‍

Does CSRD apply to banks and insurers?

Yes. Banks and insurance companies that meet the Omnibus I thresholds (more than 1,000 employees and more than €450M turnover) are subject to CSRD reporting requirements.

‍

What is the format of a CSRD report?

CSRD sustainability statements must be prepared in XHTML and digitally tagged in line with the EU's single electronic reporting format. Until the relevant mark-up rules are formally adopted, companies are not required to mark up their sustainability reporting.

‍

What if my company is an SME?

SMEs are not subject to mandatory CSRD reporting. The recommended framework for SMEs is the VSME (Voluntary Sustainability Reporting Standard for SMEs), endorsed by the European Commission on 30 July 2025. It's proportionate, modular, and increasingly expected by banks and larger supply chain partners.

‍

What happens if you don't comply with CSRD?

Non-compliance with CSRD can result in legal penalties, reputational damage, and loss of investor and stakeholder trust. Member States are responsible for enforcement and penalties under their national law. The maximum limit for pecuniary penalties under the related CSDDD is set at 3% of net worldwide turnover.