Table of Contents >> Show >> Hide
Europe’s ESG rulebook is not dead. It just went through a very European makeover: part simplification, part political compromise, part corporate stress test, and part “please stop emailing 400 data requests to every supplier with a pulse.” That is the big story behind ESG compliance during the review of the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive, now often shortened to CS3D.
For companies operating in Europe, selling into Europe, or managing subsidiaries somewhere between Dublin and Düsseldorf, the compliance question is no longer, “Is ESG still a thing?” It absolutely is. The real question is, “What still applies, to whom, and how much should we build now instead of waiting for the next Brussels plot twist?”
The smart answer is not panic, and it is definitely not a full stop. Europe has narrowed scope, delayed timelines, and softened several obligations. But the direction of travel is still clear: better sustainability reporting, tighter governance, more disciplined value-chain risk management, and less tolerance for fluffy corporate storytelling disguised as strategy. In other words, the era of “trust us, we care deeply” is still losing ground to “show your process, your controls, and your receipts.”
What CSRD and CS3D Actually Do
CSRD is the disclosure engine
CSRD is Europe’s sustainability reporting regime. It is designed to make ESG disclosures more consistent, more comparable, and much closer to the discipline of financial reporting. The framework relies on the European Sustainability Reporting Standards, or ESRS, which cover environmental, social, and governance topics in one integrated reporting architecture.
The signature feature of CSRD is double materiality. That means companies are expected to assess both how sustainability issues affect enterprise value and how the company affects people and the environment. That two-way lens is more demanding than a narrow investor-only model, and it forces companies to think beyond climate slides and charity photos. Governance, workforce, supply chain impacts, pollution, biodiversity, and human rights all move from “nice talking points” to serious reporting subjects.
CS3D is the conduct rule
CS3D is different. It is not mainly about disclosure. It is about behavior. It requires in-scope companies to identify and address adverse human rights and environmental impacts in their own operations, subsidiaries, and relevant chains of activities. If CSRD asks, “What do you report?”, CS3D asks, “What do you actually do when risk shows up?”
That distinction matters because plenty of companies built ESG programs around publishing. Europe’s due diligence agenda pushes them toward operating discipline instead: risk mapping, supplier engagement, escalation protocols, remediation, board oversight, and evidence that the business can do more than issue polished PDFs with pictures of wind turbines.
Why the Review Changed the Compliance Conversation
The review of CSRD and CS3D happened in a climate of political and commercial pushback. Businesses argued that the original framework was too broad, too expensive, and too fast. Policymakers increasingly framed simplification as a competitiveness issue. The result was not repeal. It was recalibration.
That recalibration matters because many companies had already launched readiness programs under the earlier timetable. Some had invested heavily in gap assessments, data architecture, legal entity mapping, assurance preparation, and supplier questionnaires. Then the review arrived and forced management teams to separate what was genuinely useful from what was merely expensive compliance theater.
The lesson is simple: the review did not make preparation pointless. It made prioritization mandatory.
What Changed Under the Omnibus Review
1. Fewer companies are in scope
The biggest headline is scope reduction. Under the finalized review, CSRD now focuses on the largest companies, generally those with more than 1,000 employees and more than €450 million in annual turnover. For non-EU groups, the regime still matters, but the threshold is tied to large EU turnover and an EU subsidiary or branch above the required level.
That is a dramatic narrowing compared with the earlier expectation that many more large undertakings would need to report. It also means that some companies that spent 2024 and 2025 preparing for mandatory reporting may now find themselves outside the immediate reporting perimeter.
2. Timelines moved to the right
Europe effectively hit the pause button for certain waves of implementation. The review delayed reporting for companies that had not yet started and pushed CS3D compliance further out. In practice, this gives businesses more time, but it does not give them a reason to do nothing. Extra time is useful only if companies use it to build systems that are proportionate, repeatable, and tied to actual risk.
Many executives hear “delay” and translate it to “we can forget about this until 2028.” That is how future compliance projects become expensive emergency room visits. Better translation: “use the breathing room to build smartly.”
3. Reporting is still serious, just more targeted
Sector-specific reporting is no longer the same looming monster it once appeared to be, and the value-chain cap gives smaller business partners more protection from endless information demands. That is a practical response to one of the loudest business complaints: large companies were at risk of pushing their compliance workload downhill onto smaller suppliers that had neither the budget nor the staff to answer every questionnaire under the sun.
For in-scope companies, though, the message is not “report less thoughtfully.” It is “report with more discipline.” Materiality decisions, governance processes, control environments, and evidence trails still matter. Limited assurance still matters. Data quality still matters. You may be collecting fewer fields, but those fields still need to survive scrutiny.
4. Due diligence became narrower and more risk-based
CS3D was also tightened. The scope now centers on very large companies, and the due diligence model puts more emphasis on areas in the chain of activities where adverse impacts are most likely. That makes compliance more targeted and arguably more operationally realistic.
At the same time, companies should not confuse “risk-based” with “casual.” A focused approach still requires documented reasoning, defensible prioritization, and a governance structure that can show regulators the company is not cherry-picking easy issues while ignoring the ugly ones.
5. Climate transition plans lost some legal bite
One of the most notable changes is the removal of the CS3D obligation to adopt a climate transition plan. That does not mean climate planning suddenly became irrelevant. Investors still care. Banks still care. Customers still care. And under CSRD, climate-related governance, strategy, impacts, risks, and opportunities still sit at the heart of many reporting exercises.
So while one legal lever weakened, the commercial case for transition planning did not vanish. If anything, companies now need better judgment: do the work because it supports resilience, capital access, procurement credibility, and board oversight, not just because a law once made it look mandatory.
What Companies Should Do Right Now
If you are clearly still in scope
Do not treat the review as a reason to slow-roll compliance. Use the narrower framework to sharpen execution. Reconfirm legal scope by entity, refresh your gap assessment, tighten your double materiality process, and build internal controls around the sustainability data you know will matter. If your reporting is likely to be assured, bring assurance thinking into the process early instead of discovering documentation problems three weeks before sign-off.
In-scope companies should also redesign supplier engagement. The old instinct was to send giant data requests far and wide, then hope someone answered. The better model is tiered: prioritize high-risk areas, ask for the minimum necessary information, document why the request matters, and avoid turning supplier management into a hostage situation with spreadsheets.
If you may now be out of scope
Do not throw away everything you built. Keep the pieces that improve governance and commercial performance. Materiality mapping, emissions data discipline, human-rights escalation processes, supplier segmentation, and sustainability ownership models can still create value even without a near-term filing obligation.
This is especially true for businesses that sell to large EU customers, seek institutional capital, bid on sophisticated procurement programs, or expect future threshold changes. Europe has already shown that its ESG rules can evolve. Being somewhat ready is cheaper than rebuilding from scratch every time the political weather changes.
If you are a non-EU group with European exposure
Do not rely on headquarters assumptions alone. Map your EU footprint carefully. The legal trigger may sit in a subsidiary, a branch, a listed instrument, or group-level turnover. Many multinational companies underestimate how quickly a European reporting duty can become a group-wide governance issue, especially where local management lacks clear ownership and the parent expects legal, finance, sustainability, and procurement teams to magically coordinate by telepathy.
Common Mistakes During the Review Period
Mistake one: treating delay as cancellation. It is not.
Mistake two: assuming ESG compliance is only a reporting problem. It is also a process, controls, and accountability problem.
Mistake three: overengineering for every possible rule at once. That approach burns budget and patience.
Mistake four: underestimating legal entity detail. Europe loves legal entity detail almost as much as it loves acronyms.
Mistake five: collecting data without a governance model. Data without ownership is just digital clutter in a nicer outfit.
Illustrative Examples
A U.S.-based industrial group with several EU subsidiaries may find that only a portion of its structure remains in scope after the review. The right move is not to dismantle its entire readiness program. Instead, it should centralize the materiality methodology, maintain core environmental and workforce data controls, and narrow its formal reporting perimeter to the entities that still matter now.
A global consumer goods company with a complex supplier base may benefit from the value-chain cap because it can no longer justify asking every small vendor for everything under the ESG sun. The smarter compliance strategy is to segment suppliers by risk, geography, and product exposure, then apply due diligence depth where it is most relevant.
A private company that drops out of mandatory CSRD scope may still choose to align partially with ESRS-style governance because lenders, customers, or future buyers increasingly view sustainability data quality as a proxy for management quality. In that setting, a voluntary but disciplined approach can still be commercially powerful.
Experiences From the CSRD and CS3D Review Period
The most interesting experience from the review period is that many companies discovered ESG compliance was never really one project. It was a mirror. Once teams started preparing for CSRD or CS3D, they suddenly saw where responsibilities were fuzzy, where supplier data was unreliable, where legal and sustainability teams barely spoke the same language, and where the board wanted ambitious goals without equally ambitious systems. The review did not create those weaknesses. It simply made them impossible to ignore.
One common experience was executive whiplash. In 2024 and early 2025, management teams were told to move fast because reporting waves were approaching. Then the review introduced delays and narrower scope. Some leaders reacted by asking why the company had spent money so early. But the companies that handled the shift best were usually the ones that treated the work as capability-building, not just deadline-chasing. They realized that mapping emissions, understanding labor risks, improving controls, and assigning ownership were not wasted steps. They were the foundation of a more mature business process.
Another recurring experience involved supplier relationships. Before the review, some large companies flooded vendors with sprawling ESG questionnaires, hoping to solve uncertainty with volume. That approach often backfired. Suppliers became frustrated, response quality dropped, and procurement teams started negotiating compliance fatigue instead of actual risk. During the review, more mature companies changed course. They reduced duplicate requests, focused on higher-risk suppliers, explained why information was needed, and coordinated legal, procurement, and sustainability teams more carefully. The result was not perfect harmony, but it was far more workable than the old “send 17 templates and pray” model.
Internal culture also shifted. Teams that once saw ESG as a communications exercise began to understand it as an operating model. Finance started caring because assurance was on the horizon. Legal cared because scope and liability questions became more concrete. Internal audit cared because controls suddenly mattered. Procurement cared because supply chain due diligence could no longer live in a slide deck. In many organizations, the review period acted like a forced introduction between departments that should have been talking years earlier.
There was also a psychological lesson. Companies learned that regulatory uncertainty is not a reason to freeze. It is a reason to build adaptable systems. The businesses that struggled most were often the ones waiting for perfect clarity before doing anything. The businesses that progressed were the ones building modular processes: reusable materiality methods, flexible data architectures, entity-level scoping logic, and governance models that could survive another round of political edits. In Europe, that is not pessimism. That is realism wearing a suit.
In the end, the review period taught a useful truth: strong ESG compliance is less about chasing every headline and more about building a company that can respond calmly when the headlines change.
Conclusion
Europe’s ESG framework is still very much alive, but it is now more selective, more political, and more practical than many businesses expected. CSRD remains a major reporting regime for large companies. CS3D remains a serious due diligence framework for very large companies. The review narrowed the net, delayed some dates, and reduced some burdens, but it did not erase the strategic importance of sustainability governance.
That is why the winning approach in 2026 is neither overreaction nor denial. It is targeted readiness. Know your scope. Keep what creates long-term value. Build systems that can stand up to reporting, assurance, and risk management. And if your organization is still hoping ESG compliance can be handled by one overworked person and a heroic spreadsheet, this review period has already delivered its clearest message: that era is over.
