The EU Omnibus proposals that landed last week have been billed as a mechanism to boost EU competitiveness and simplify some of the EU’s major ESG regulations. But these proposals will exacerbate short-term regulatory uncertainty, undermining years of good progress in ESG and sustainability due diligence.

The measures cover the EU Taxonomy, Corporate Sustainability Reporting Directive (CSRD), Corporate Sustainability Due Diligence Directive (CSDDD), and Carbon Border Adjustment Mechanism (CBAM). According to the EU, they will reduce ESG regulatory reporting burdens for all businesses, particularly SMEs and small mid-caps.

However, some larger companies had already begun reporting or preparing to report under the CSRD – including significant investments in reporting systems and processes – and the CSDDD had already been subjected to a tortured watering-down process in 2024. All proposals will now be subject to debate by the EU Parliament and Council – the timings and outcomes of which are uncertain.

So, what are the key changes in the Omnibus proposal, and how will they impact businesses?

Risk assessment is limited to direct suppliers only

This change is significant. The previous risk-based approach ensured companies focused their assessment efforts on critical parts of their supply chain. Instead of overwhelming thousands of direct suppliers with often redundant data and information requests regardless of their impact or risk, companies would prioritise supply chains and suppliers posing the highest risk and look further upstream to assess, identify and address the source and origin of that risk.

This approach was resource efficient, both for the buyer (why risk assess thousands of low-impact direct suppliers?) and the supplier (no lengthy supplier self-assessment questionnaires).

The new proposals appear to be modelled on the German Supply Chain Act (Lieferkettensorgfaltspflichtengesetz—LkSG). This is misguided. The lessons of that regulation were that larger companies cascaded the liabilities and costs of compliance to their direct suppliers rather than taking discernible action to address risk and impact themselves.

The new proposals also overlook that the most severe social and environmental impacts occur beyond direct suppliers. While there is recognition that companies may have to look beyond their direct suppliers when there is “plausible information”, companies would only be required to assess and identify the upstream risk if they are made aware of it rather than through proactive due diligence. This is simply poor business management.  Businesses should be required to undertake due diligence on risks that may materially impact them.

As a result, the new risk assessment proposals will likely become a bureaucratic exercise – adding cost and time but doing little to encourage business managers to adequately identify and manage the risks that matter most.

Our advice is to continue with a risk-based approach. Avoid over-burdening suppliers with excessive information demands and focus on company due diligence, risk assessment, and remediation where impacts and risks are most severe.

Introducing a maximum legal bar for member state due diligence requirements

To encourage a uniform, standardised requirement, from which member states cannot deviate or “raise the bar”, the Omnibus would extend the “scope of maximum harmonisation” to several additional requirements within the CSDDD. This appears to be a response to outside lobbying from the US to avoid inconsistency across EU member states.

On paper, this makes sense. In reality, it introduces a very low legal bar that individual member states cannot exceed, regardless of the need to adapt or strengthen their due diligence requirements in line with their existing legal system maturity and the nuances of their own domestic industries and supply chains.

It’s unclear how this part of the CSDDD Omnibus will play out in the coming weeks and months as it is debated in the Council and Parliament. To avoid uncertainty, our advice to companies continues to be to prepare early and go beyond compliance. Build your core due diligence system around the OECD Guidelines and the UN Guiding Principles, but keep it proportionate to the size and risk exposures you face. Once there is clarity on the regulation, any compliance gap will be minimal, if at all.

Timelines for enforcement

Under the new proposals, enforcement will be pushed back by one year, meaning phase 1 companies with a revenue threshold of Euro 1.5bn will no longer need to comply until July 2028. This is a staggering delay, not least since the CSDDD already underwent considerable watering down in 2024, with enforcement timelines pushed back to 2027.

According to the EU, the additional delay will give companies more time to prepare and allow time for EU Guidance to be published to support them in their implementation. This means more regulatory uncertainty for companies, many of which had already begun investing to review and prepare their internal supply chain due diligence systems and processes this year.

The EU has been late providing guidance to companies and has stated that the postponement will allow companies to “reduce their reliance on legal counselling and advisory services”. This is unfortunate. Not only have legal and advisory firms been filling a void left by the EU as the Directive has continually been delayed, but the substance of the EU Directive dates back 3 years.

Our advice to companies? Avoid delays. Look beyond the regulation and identify the business case for strengthening supply chain due diligence systems and processes based on OECD Guidelines, the UN Guiding Principles, and international best practices. Make the case for investment internally and push those enhancements through.

Limiting the trickle-down effect

In a bid to reduce the information demands on SMEs and small midcap companies (companies with fewer than 500 employees), the Omnibus proposes to limit the volume of information large companies can request from their suppliers, aligning information demands only to those specified under the Voluntary Standard for non-listed, micro-, small- and medium-sized undertakings. Exceptions can be made, however, such as when additional information is necessary or cannot be obtained in any other way.

Anything that seeks to limit – and provide standardisation for – information demands on suppliers is undoubtedly a good thing, provided it does not obstruct the flow of data and information in high-impact supply chains. As argued earlier, we strongly advise companies to adopt a risk-based approach to supply chain risk assessment, which may require ‘going deep’ on certain parts of the supply chain, regardless of the supplier's size. The new proposal's allowance for “exceptions” may accommodate this, though more clarity is needed here.

No requirement to implement climate transition plans

To ensure alignment with the CSRD’s reporting requirements, the Omnibus has introduced a proposal to modify the requirement for companies to “put into effect” their transition plans, with the emphasis now purely on “adoption”.

While concern has been expressed around this modification, it does appear to be more window dressing than substance since the core mechanisms that enable corporate implementation will be retained. For example, the CSRD’s text still requires company transition plans to include “time-bound targets” along with details of “implementation actions planned and taken”, as well as a requirement to “review and update those plans annually”.

Removal of EU-wide civil liability regime

Much has been made of the proposal to remove the requirement for a harmonised EU-wide civil liability requirement. The rationale for doing so is the inevitable difficulties in harmonising legal systems across member states and some states' resistance to having their existing legal system and bars undermined.

This will encourage companies to “shop around” in search of the jurisdiction with the lowest bar and civil liability maturity. But surely this would have happened anyway, as transposing the CSDDD into member state regulation would always have resulted in differences in application and interpretation.

What should businesses do now?

Regardless of regulation, most businesses recognise that robust and effective supply chain sustainability due diligence minimises business and reputational risk while supporting human rights and environmental standards in supply chains.

Sustainability due diligence regulations are not new – some date back more than 10 years. The OECD Guidelines for Multinational Enterprises (and the UN Guiding Principles on Business and Human Rights) – the bedrock on which most due diligence regulations are based – also date back many years and decades.

Compelling business reasons, vast amounts of guidance, and international best practices should encourage companies to upgrade their due diligence policies, systems and processes rather than wait for regulation to catch up.

The EU Omnibus will almost certainly fuel uncertainty and, if not managed carefully, risks undermining years of good progress. But it should be no excuse for inaction.

Control Risks VANTAGE

Third-party supply chain risk management

Get in touch

Can our experts help you?