Corporate Sustainability Reporting Directive (CSRD) compliance in 2026 comes with planning challenges. The Omnibus agreement has narrowed the mandatory scope, the amended European Sustainability Reporting Standards (ESRS) are expected by mid-2026, and Wave 1 companies are already reporting under limited assurance. For sustainability managers who own the work, the harder question isn't what the regulation requires, it's where to start, and how to build a process that holds up under audit.

This guide covers the full CSRD compliance sequence: scoping your obligations after the Omnibus, running a double materiality assessment (DMA), mapping applicable ESRS standards, and building documentation auditors can actually review. Not just a timeline, a process. Where changes to that process become necessary as standards evolve, they are permissible, provided the reasons are transparently disclosed in your sustainability statement.

Who still needs to comply with CSRD after the Omnibus?

The Omnibus agreement significantly narrows the mandatory CSRD scope. Companies now need to meet both of the following thresholds: more than 1,000 employees and more than €450 million in net annual turnover. Under the previous rules, meeting two of three criteria was sufficient, those being employee count, net turnover, and total balance sheet assets exceeding €20 million. On 24 February 2026, the Council of the European Union adopted the final text of the Omnibus Directive, marking the last major step in the legislative process following the European Parliament's approval in December 2025. The new rules require both primary thresholds, removing approximately 85% of previously in-scope companies.

Wave 1 companies are already reporting. Their first CSRD reports cover the financial year 2024, published in 2025. Wave 2 companies, those meeting the new Omnibus thresholds, are delayed by two years: reporting applies from financial year 2027, with reports published in 2028. Listed SMEs are fully removed from mandatory scope.

Important caveat: a legal exemption doesn't mean the work goes away. Banks, investors and large CSRD-reporting companies routinely request sustainability data from their supply chains and value-chain partners. A company below the Omnibus threshold that supplies a CSRD reporter or seeks sustainability-linked financing may find voluntary CSRD-aligned reporting (VSME) effectively required. The Omnibus proposal addresses this trickle-down pressure by positioning VSME as a benchmark for what can reasonably be expected from excluded SMEs. This both gives smaller companies a recognised framework to meet market demands and sets a ceiling on what larger players and financiers can legitimately request from them, with VSME defining the outer boundary of reasonable expectation.

For the full breakdown of revised thresholds and timelines check out our article on CSRD under Omnibus.

What is double materiality and why does it come first?

The double materiality assessment (DMA) determines which ESRS topics a company must report on. Everything downstream in the CSRD compliance process from ESRS mapping, data collection to disclosure drafting, follows from the DMA output. There is no logical sequence without it.

Double materiality assessments evaluate sustainability topics from two perspectives:

1. Impact materiality asks how a company's activities affect people and the environment (inside-out): greenhouse gas emissions, labor conditions in the supply chain, water pollution. 
2. Financial materiality asks how sustainability issues affect the company's financial performance and position (outside-in): climate-related risks to assets, regulatory changes affecting revenue, resource scarcity affecting input costs.

In CSRD, a topic is material if it crosses the threshold on either dimension, not both. Meeting the standard on impact alone makes it material. This is a common source of error in early DMA work: applying an "and" test when the regulation requires an "or" test.

One critical point: the DMA process and its outcomes are subject to third-party limited assurance. Auditors don't just review the final materiality matrix, they assess the methodology, stakeholder engagement records, scoring logic and threshold decisions. We recommend starting the documentation process early, rather than trying to piece everything together at the last minute. 

{{custom-cta}}

How do you identify and score IROs?

Impacts, Risks and Opportunities (IROs) are the building blocks of a double materiality assessment. Each IRO is identified per ESRS topic, scored against consistent criteria and either confirmed as material or documented as out of scope. 

The IRO identification process under CSRD breaks down into five steps:

1. Scope your business context. Define the activities, geographies and value-chain stages relevant to your company. A logistics business, for example, must consider Scope 3 emissions from fuel combustion across its contracted carriers, not just its own fleet.

2. Build a long list of potential IROs per ESRS topic. Draw on desk research, regulatory guidance and internal expertise to generate a comprehensive list before filtering begins.

3. Engage stakeholders to validate and challenge the longlist. Stakeholder input is required under ESRS 2 IRO-1. Surveys, interviews and workshops with employees, customers, NGOs and investors surface blind spots your internal team may have missed.

4. Score each IRO. For impact IROs: assess severity (scale, scope, irremediability) and likelihood. For financial IROs: assess magnitude and likelihood. Apply scoring thresholds consistently across all topics, inconsistent scoring is a red flag for auditors.

5. Document every decision. Record management judgements, scoring rationale, threshold definitions and any evidence used. According to EFRAG's Materiality Assessment Implementation Guidance, companies must maintain detailed records of management decisions for each IRO, including how thresholds were determined and applied.

A practical example

A manufacturing company with a global supply chain will typically find labor conditions in the value chain (S2) and climate-related transition risks (E1) on their IRO longlist. Whether either turns material depends on scoring but both require a documented assessment, even if they fall below threshold.

Under ESRS 2 (General disclosures) companies are required to report on two disclosure requirements related to the materiality assessment process: IRO-1 and IRO-2. Both require companies to disclose how the DMA was conducted and which IROs were identified. That disclosure is audited. 

Which ESRS standards apply to your company?

The DMA output determines which of the 10 topical ESRS standards are mandatory for a given company. Not every standard applies to every business, only those where the DMA identifies material topics.

Two cross-cutting standards are mandatory for all in-scope companies regardless of DMA results: ESRS 1 (general requirements) and ESRS 2 (general disclosures). ESRS 2 covers governance, strategy, business model and risk management disclosures, and includes the IRO disclosure requirements. The cross-cutting standards and 10 topical standards divide as follows:

‍

If the DMA finds a topic is not material, the company generally doesn't need to report on the corresponding standard. E1 is the practical exception: companies that conclude climate is not material must explain why, which is a high bar to clear in most sectors.

The amended ESRS, to be adopted via Delegated Act no later than six months after the Omnibus I Directive enters into force, reduces mandatory data points by 61%, from 803 to 347, per EFRAG's December 2025 technical advice. All voluntary data points have been removed. A three-year phase-in applies to E4, S2, S3 and S4 even where those topics are material.

This isn't a simpler exercise. It's a cleaner one. Fewer data points means greater scrutiny on the ones that remain, with sharpened expectations on fair presentation and coherence across disclosures.

How do you build audit-ready sustainability reporting?

Audit-readiness is a design principle embedded throughout the compliance process, not a final review step. Companies that treat it as a checklist to complete before submission tend to find gaps that are expensive to close retrospectively.

The practical implication: capture management judgements in writing as decisions are made, not reconstructed after the fact. A materiality threshold decision made in April needs a contemporaneous record, not a summary drafted in November. That said, if circumstances require changes to earlier judgements, these can be made as long as they are transparently disclosed alongside a clear explanation of the reasons behind them.

One additional requirement to plan for‍

CSRD sustainability statements will ultimately need to be published in XHTML with inline XBRL digital tagging, but this requirement is currently on hold. Under the Omnibus I Directive, mandatory XHTML and ESRS inline XBRL tagging is paused until a digital taxonomy is formally adopted by ESMA via a Regulatory Technical Standard (RTS). Given the revised scope and timeline, with FY2027 likely being the first CSRD reporting year for the new cohort, full machine-readable sustainability reports are not expected before approximately 2029. Companies do not need to act on this now, but it is worth flagging as a future technical workstream: once the Regulatory Technical Standard and the updated ESRS XBRL taxonomy are finalised, implementing the tagging infrastructure will require meaningful lead time.

What does CSRD limited assurance audit actually require?

Documentation quality and process consistency are what auditors focus on under limited assurance, not perfect data. A disclosed estimate with a clear source and rationale is auditable. An undisclosed estimate with no documentation is not.

Limited assurance under the CSRD is negative assurance. This means the auditor concludes that nothing came to their attention indicating the sustainability statement contains a material misstatement. It is a lower bar than the positive assurance applied to financial statements, but it still requires systematic evidence review across the full sustainability report.

Limited assurance can be performed by a statutory auditor, audit firm or, where a member state permits it, an Independent Assurance Service Provider (IASP). Companies should engage their assurance provider early, ideally before the DMA is finalised, so methodology decisions are made with auditor input from the start.

The EU Commission is required to adopt a formal limited assurance standard by July 1, 2027, extended under the Omnibus from the original October 2026 deadline. Until that standard is in place, national standards apply. The Committee of European Auditing Oversight Bodies (CEAOB) published non-binding guidelines on limited assurance in September 2024 to promote consistency across member states in the meantime.

The Omnibus agreement removed the previous plan to upgrade to reasonable assurance. Limited assurance is now the permanent standard, not a transitional arrangement.

EFRAG's Materiality Assessment Implementation Guidance sets out the documentation requirements explicitly: companies must record management judgements throughout the DMA, provide evidence of due diligence activities and maintain decision logs for each IRO, including how thresholds were applied.

How does Coolset help with CSRD compliance?

Coolset supports the full CSRD compliance sequence, from double materiality assessment through to audit-ready reporting.

The platform's DMA tool guides stakeholder engagement, generates materiality matrices aligned with ESRS requirements and produces documentation that supports auditor review. For ESRS disclosures, Coolset provides structured templates with smart autofill based on existing organisational data, along with task assignment and team collaboration across departments.

Every disclosure includes an audit trail: supporting documentation, data sources and decision records are linked directly to each data point. Reports export in PDF, Word and XBRL formats. 

Coolset also supports data reuse across the Voluntary SME Standard (VSME), EU Taxonomy and the EU Deforestation Regulation (EUDR), so the work done for CSRD doesn't sit in isolation.

Frequently asked questions

What is double materiality under the CSRD?

Double materiality requires companies to assess sustainability topics from two perspectives: how the business is affected financially by sustainability issues (financial materiality) and how the business impacts people and the environment (impact materiality). A topic is material if it meets the threshold on either dimension. The assessment determines which ESRS topical standards must be reported on.

What has the Omnibus proposal changed for CSRD?

The Omnibus agreement of December 2025 narrows mandatory scope to EU companies with more than 1,000 employees and more than €450 million in net turnover. The agreement delays Wave 2 reporting by two years to FY2027 (published 2028), reduces mandatory ESRS data points by 61%, removes sector-specific standards and makes limited assurance the permanent standard.

Is the double materiality assessment subject to audit?

Yes. Both the process and results of the DMA are subject to third-party limited assurance. Under ESRS 2 IRO-1 and IRO-2, companies must disclose how the assessment was conducted. Auditors review stakeholder engagement records, scoring methodology, threshold decisions and management judgements.

‍What is the difference between limited and reasonable assurance?

Limited assurance audit, required under CSRD, is negative assurance: the auditor states nothing came to their attention suggesting material misstatement. Reasonable assurance (the standard for financial audits) is positive: the auditor confirms the information is accurate. The Omnibus agreement removed the planned move to reasonable assurance, making limited assurance permanent.

Do companies outside the Omnibus threshold still need to prepare for CSRD?

Many do. Value-chain partners, banks and customers of CSRD-reporting companies frequently request sustainability data regardless of mandatory scope. Companies supplying large corporations or seeking sustainability-linked financing may find CSRD-aligned reporting effectively required, even without a legal obligation.

{{product-tour-injectable}}