The Corporate Sustainability Reporting Directive (CSRD) is the most significant change to European corporate disclosure since the introduction of the International Financial Reporting Standards (IFRS). It replaces the Non-Financial Reporting Directive (NFRD), and forces sustainability data to meet the same standard and rigor as financial data. For sustainability managers at mid-market EU companies, 2026 is the year CSRD reporting stops being a theoretical project and becomes operational reality.

This guide explains what CSRD reporting requires in 2026, who is in scope after the Omnibus simplification package, how the timeline has shifted, and what concrete steps your team should take now to prepare a defensible, audit-ready report.

What is CSRD?

The Corporate Sustainability Reporting Directive (CSRD) is an EU law, adopted in December 2022 as Directive (EU) 2022/2464, that requires companies to publish detailed, audited information on their sustainability performance. CSRD reporting is the process of collecting, calculating, disclosing and assuring that information in line with the European Sustainability Reporting Standards (ESRS), which are set out in Commission Delegated Regulation (EU) 2023/2772.

CSRD amends four existing pieces of EU legislation, including the Accounting Directive (2013/34/EU) and the Transparency Directive (2004/109/EC). In practice, this means sustainability information now sits inside the management report of a company's annual financial statements rather than in a separate, voluntary sustainability report.

Which companies are affected

Under the original CSRD text, the directive applied to four groups: large EU companies meeting two of three thresholds (more than 250 employees, over 50 million euros in net turnover, over 25 million euros in total assets), all EU listed companies (including listed SMEs), large EU subsidiaries of non-EU parents, and non-EU parent companies with significant EU activity.

The Omnibus I simplification package, proposed by the European Commission in February 2025, significantly narrows that scope. Once adopted in its final form, CSRD is expected to apply only to companies with more than 1,000 employees that also exceed either 50 million euros in turnover or 25 million euros in balance sheet total. The Commission estimates this removes roughly 80 percent of companies from scope compared to the original directive. Listed SMEs are exempted entirely, and the threshold for non-EU parent companies has been lifted to 450 million euros in EU turnover.

Key requirements overview

At a high level, CSRD reporting requires four things from in-scope companies. First, a double materiality assessment that identifies which sustainability topics are material from both an impact and a financial perspective. Second, disclosures against the ESRS covering governance, strategy, impact and risk management, and metrics and targets. Third, machine-readable reporting in XHTML format with iXBRL tagging under the European Single Electronic Format (ESEF). Fourth, limited assurance from an accredited auditor, rising to reasonable assurance once the Commission adopts the necessary standards.

Why CSRD matters for your business

CSRD reporting matters because it is legally binding, publicly disclosed and directly tied to financial reporting deadlines. A missed or misstated CSRD disclosure carries the same management responsibility as a misstated financial disclosure, and national regulators have begun transposing the directive with sanctions that echo financial reporting penalties.

Under Article 49 of the amended Accounting Directive, member states must ensure that penalties are effective, proportionate and dissuasive. In the Netherlands, the draft transposition ties CSRD enforcement to existing AFM powers and allows fines of up to 10 million euros or 5 percent of annual turnover for listed issuers. In France, the ordonnance of 6 December 2023 allows criminal penalties for obstructing the statutory auditor's sustainability work. Ireland's transposing regulations provide for fines up to 50,000 euros and imprisonment for directors who knowingly authorize non-compliant reports.

Beyond penalties, CSRD reporting affects access to capital. Banks subject to the EBA's Pillar 3 ESG disclosure requirements rely on CSRD data from their counterparties to calculate Green Asset Ratios. Companies that cannot provide ESRS-aligned data risk higher financing costs or loss of eligibility for sustainability-linked loans. Large customers subject to CSRD will also push data requests down their supply chain, which means even out-of-scope suppliers feel the effect.

The upside is structural. Companies that treat CSRD reporting as a genuine management exercise rather than a disclosure burden tend to uncover inefficiencies in energy use, logistics and supplier risk that would otherwise remain invisible. A properly executed double materiality assessment surfaces the Impacts, Risks and Opportunities (IROs) that actually move the business, which is useful input for strategy and capital allocation regardless of the regulatory trigger.

{{product-tour-injectable}}

Key requirements of CSRD

The ESRS set out 12 cross-sector standards: two general standards (ESRS 1 and ESRS 2), five environmental standards (E1 through E5), four social standards (S1 through S4), and one governance standard (G1). ESRS 1 defines general requirements, ESRS 2 defines general disclosures, and the topical standards apply only where the double materiality assessment concludes the topic is material.

ESRS 2 is the only standard that is always mandatory. It requires disclosures on basis of preparation, governance, strategy, impact, risk and opportunity management, and metrics and targets. Every other topical standard is conditional on materiality, with one exception: ESRS E1 Climate change requires an explicit, reasoned explanation if a company concludes it is not material.

Reporting scope

CSRD reporting covers the reporting entity and, where applicable, its consolidated subsidiaries. Organizational boundaries follow the financial consolidation perimeter, which aligns sustainability reporting with the annual accounts. The value chain dimension extends further. ESRS 1 requires companies to include material information on upstream and downstream value chain actors where relevant for understanding impacts, risks and opportunities.

A transitional provision in ESRS 1 allows companies to omit certain value chain information for the first three years of reporting where that information is not reasonably available, provided they disclose the efforts made to obtain it and the plans to close the gap. This mechanism is one of the few exceptions to account for data maturity issues, it should not be applied as the default, but rather be used intentionally where data maturity is a real concern.

The double materiality assessment sits at the center of scope definition. The topics identified as material in the DMA go on to define which ESRS topics are in scope for the full CSRD report. It is crucial to make sure your DMA is thorough and considers all possible IROs related to your business.

Data requirements

ESRS disclosures split into quantitative datapoints and narrative qualitative disclosures. EFRAG's implementation guidance lists over 1,100 datapoints across the 12 standards, of which roughly 265 apply under ESRS 2 alone. Datapoints are classified as mandatory or voluntary, and as quantitative, semi-narrative or narrative.

Quantitative metrics include Scope 1, 2 and 3 greenhouse gas emissions calculated in line with the Greenhouse Gas Protocol, energy consumption by source, water withdrawals in water-stressed areas, waste generation by type, and a range of workforce metrics such as gender pay gap and non-employee headcount. Scope 3 is often the most painful area because it depends on supplier data quality and spend-based proxies are only acceptable in early years.

Qualitative disclosures cover policies, actions, targets and transition plans. ESRS E1 in particular requires a climate transition plan compatible with limiting warming to 1.5 degrees Celsius, with milestones for 2030 and, where relevant, 2050. These narrative sections are where assurance providers concentrate much of their scrutiny, because the underlying evidence (board minutes, internal memos, policy documents) is harder to standardize than a fuel invoice.

How to prepare for CSRD

Preparing for CSRD reporting is a multi-year exercise even for companies with mature sustainability functions. Although reporting looks different for every company, there are some key steps to get you started.

1. Confirm scope and reporting boundary. Verify your company's employee count, turnover and balance sheet total against the Omnibus-revised thresholds as they are finalized in your member state.
2. Run a double materiality assessment. Identify stakeholders, map the value chain, catalogue IROs, score them against defined thresholds and document the process. Make sure you keep a well-organized record of how you conduct your DMA.
3. Audit your ESRS datapoints against material topics: assign ownership, source, and calculation method to each one.
4. Close data gaps. For Scope 1 and 2, that usually means centralizing utility and fleet data. For Scope 3, it means engaging suppliers, replacing spend-based proxies with activity-based factors where feasible, and documenting assumptions.
5. Draft policies, actions and targets. Align the climate transition plan with Paris-aligned pathways and ensure board approval is documented.
6. Build the XHTML report with iXBRL tagging. The ESEF taxonomy is published by ESMA and must be applied at the datapoint level.
7. Engage your assurance provider early. Under Article 34a of the amended Accounting Directive, limited assurance applies from the first year of reporting. Coolset's walkthrough in how to get audit-ready for CSRD covers the practical steps.

‍

‍

There are three key areas where companies commonly face challenges. First, Scope 3 data quality, particularly for purchased goods and services (Category 1) and use of sold products (Category 11). Second, value chain engagement, where suppliers are reluctant or unable to share primary data. Third, internal controls: sustainability data has historically lived in spreadsheets outside the ERP, and limited assurance requires controls comparable to those over financial data.

{{custom-cta}}

CSRD timeline and deadlines

The CSRD timeline was restructured by the Omnibus "stop-the-clock" directive (Directive (EU) 2025/794), which entered into force in April 2025 and postponed reporting obligations for Waves 2 and 3 by two years. The revised phase-in is as follows.

• Wave 1: Large public-interest entities with more than 500 employees that were already subject to NFRD. First reporting on financial year 2024, published in 2025. This wave is unchanged by the Omnibus.
• Wave 2: Other large EU companies meeting the size thresholds. First reporting on financial year 2027, published in 2028 (postponed from financial year 2025).
• Wave 3: Listed SMEs, small and non-complex credit institutions and captive insurance undertakings. First reporting on financial year 2028, published in 2029 (postponed from financial year 2026). Under the Omnibus content proposal, listed SMEs are expected to be removed from scope entirely.
• Wave 4: Non-EU parent companies with net turnover above €150 million in the EU for two consecutive years, where a subsidiary or branch in the EU meets the relevant size criteria. First reporting on financial year 2028, published in 2029.

Transition periods within the ESRS themselves also apply. Companies with fewer than 750 employees can omit Scope 3 emissions and ESRS S1 workforce metrics in year one, and can omit ESRS E4 Biodiversity, E5 Resource use and circular economy, S2 Workers in the value chain, S3 Affected communities and S4 Consumers and end-users for the first two years. All companies benefit from a three-year transition on anticipated financial effects under E1 to E5.

Reasonable assurance is scheduled to replace limited assurance once the Commission adopts the relevant standards, which Article 26a of the Audit Directive allows from October 2028 at the earliest. Until then, the assurance opinion is limited assurance, which is a lower bar but still requires robust evidence.

How Coolset helps with CSRD

Coolset is an ESG and supply chain software built for compliance-first teams in the EU. The platform covers the full CSRD reporting lifecycle, from double materiality assessment through data collection, calculation, disclosure drafting and audit preparation.

On data collection, Coolset automates Scope 1, 2 and 3 emissions calculations in line with the GHG Protocol. For Scope 3 categories where primary data is unavailable, the platform applies activity-based and spend-based methods and flags the estimation method in the audit trail.

Coolset's compliance dashboard tracks progress against the double materiality outcome, shows the datapoints that still require evidence, and exports in a format compatible with iXBRL tagging.

On audit readiness, every datapoint in the platform carries a full audit trail: source document, calculation method, applied emission factor, reviewer, approval timestamp. This is the level of traceability that limited assurance providers expect, and it is the difference between a smooth audit and a prolonged one.

Frequently asked questions

Is CSRD reporting still mandatory after the Omnibus package?

Yes. CSRD remains in force. The Omnibus simplification package narrows the scope to companies with more than 1,000 employees meeting one of two financial thresholds and delays Waves 2 and 3 by two years, but the underlying reporting obligation, the ESRS and the assurance requirement remain intact for in-scope companies.

What is the difference between CSRD and ESRS?

CSRD is the directive that creates the legal obligation to report. ESRS are the standards that define what and how to report. The European Sustainability Reporting Standards, set in Commission Delegated Regulation (EU) 2023/2772, contain the 12 standards and over 1,100 datapoints that in-scope companies apply.

Does CSRD apply to UK companies?

Not directly. The UK is not an EU member state. However, UK companies with a large EU subsidiary, an EU-listed entity or significant EU turnover can fall into scope through the large-subsidiary route or the non-EU parent route (the latter at 450 million euros in EU turnover under the Omnibus proposal). Many UK groups are also pulled in indirectly through customer data requests.

When is the first CSRD report due for mid-market EU companies?

Most mid-market EU companies fall into Wave 2. After the Omnibus stop-the-clock directive, Wave 2 companies first report on financial year 2027, with the report published alongside the 2027 annual accounts in 2028. Companies below 1,000 employees are expected to fall out of scope once the Omnibus content proposal is adopted.

What kind of assurance does CSRD require?

Limited assurance from the start, performed by a statutory auditor or, where member states allow, an independent assurance services provider. The Commission may move the requirement to reasonable assurance from October 2028 at the earliest, once it has adopted the relevant assurance standards under Article 26a of the Audit Directive.