The EU Omnibus package: what changed — and why ESG reporting still can’t wait

The EU Commission’s Omnibus simplification package was the most-discussed regulatory development of the past quarter — and the most misread. Headlines made it sound as if the Corporate Sustainability Reporting Directive had been rolled back. In reality, the changes are narrower, and the underlying obligations haven’t disappeared for most companies. They have shifted — in scope and in timeline. At the same time, demand for solid ESG data from investors, banks and large customers keeps growing.

For finance and sustainability leads, the question is no longer whether the rules will change again — they will. The question is how to build a reporting setup that absorbs those changes without starting over every twelve months. In conversations with our customers in March, the same three themes kept coming up.

1. Reduced scope, unchanged expectations

The Omnibus raises CSRD thresholds so that fewer mid-sized companies are directly in scope. In practice, most of those companies still face the same questions — from their banks, their largest customers and (for portfolio companies) their investors. Reporting under VSME has emerged as the pragmatic answer for the now-exempt tier: less prescriptive than full ESRS, but robust enough to clear a financing covenant or a tier-1 supplier audit.

Wave-1 reporters see parts of their timeline pushed back — the methodological work (boundary setting, double materiality, Scope 3 data collection) hasn’t got easier as a result. Companies that started early don’t regret it. They’re using the extra months to deepen primary data inside their supply chain — that’s where most of the audit risk sits. Those that paused are now restarting with less buffer than expected.

Underneath the regulatory headlines, market mechanics haven’t changed. SFDR Article 8 and 9 funds still need PAI data from portfolio companies. CBAM importers still need embedded-emissions data per shipment. ISSB-aligned reporting is by now the default expectation for any company with international investors — regardless of EU scope. The Omnibus changes the legal trigger. It doesn’t change who is asking for the numbers.

Our recommendation to customers is consistent: build the data base once — so it fits ESRS, VSME, GHGP, ISSB and SFDR at the same time. Treat the regulatory entry point as configuration, not architecture. The companies that will move calmly through 2026 are the ones that decided in 2025 to stop reporting framework-by-framework — and instead report from a single source of truth.