The single biggest misconception in sustainability reporting right now is that the Omnibus package switched CSRD off. It did not. For Wave 1 companies, CSRD Wave 1 reporting continues in 2026, this time covering FY2025 data, and the obligation stands until your member state formally transposes an exemption into national law. The first CSRD reports, covering FY2024, were already published in 2025. The 2026 cycle is your second report, not your first, and the rules that apply to it are not the simplified rules you may have read about.

This guide sets out, accurately, what Wave 1 companies still must disclose in 2026, what the Omnibus actually changed, what has not changed, and how to build a defensible, audit-ready data foundation rather than a one-time reporting exercise.

📌 Want to see whether your existing REACH, RoHS, and PFAS data already covers your ESRS E2 and E5 disclosures? Book a Compliance + ESG Data Foundation Workshop.

Key Takeaways

📌 Wave 1 companies still report under CSRD in 2026, covering FY2025 data, using the original ESRS with Quick Fix reliefs, not the simplified standards.

⏳ The simplified ESRS (around a 61% datapoint reduction) apply from FY2027 at the earliest, with optional early adoption for FY2026. They do not apply to the 2026 report.

📌 Omnibus narrowed CSRD scope to companies above 1,000 employees and €450 million net turnover, but the new thresholds bind only once published and transposed into national law.

⚠️ Member states may exempt de-scoped Wave 1 entities from FY2025 and FY2026 reporting, but until that exemption is in national law, you should assume the obligation still applies.

📊 Double materiality assessment remains mandatory, and limited third-party assurance is still required. The Omnibus removed the path toward reasonable assurance, keeping the bar at limited.

🏭 For manufacturers, ESRS E2 (Pollution) and E5 (Resource use and circular economy) draw on the same substance and material data you already collect for REACH, RoHS, and PFAS.

🤖 Treating ESRS disclosure as a continuous data problem, sourced from a product-level compliance backbone, is more defensible under assurance than consultancy-led, one-time reporting.

Why 2026 Is Still a Reporting Year for Wave 1

Wave 1 entities are large public-interest companies already subject to the earlier Non-Financial Reporting Directive. Their first CSRD reports were published in 2025 covering FY2024. In 2026, these same companies publish their second CSRD report, covering FY2025 data, alongside the management report in their annual financial statements.

The exact filing date depends on your fiscal year-end and your member state's rules, so there is no single pan-EU calendar date. What matters for compliance leaders is that the obligation is live. Reviewing the current EU CSRD framework requirements against your FY2025 data set should already be underway.

What the Omnibus Package Actually Changed

The Omnibus simplification package moved through 2025 and into 2026 in stages, and the distinction between what is adopted and what is proposed matters.

Scope reduction

The revised CSRD thresholds limit mandatory reporting to companies with more than 1,000 employees and more than €450 million in net turnover. These thresholds are not automatically effective. They bind only once published in the Official Journal and transposed into national law, which is a member-state by member-state process. Until then, the original scope and your existing obligation continue, a nuance that multi-jurisdiction ESG management has to account for directly.

Stop-the-clock for later waves

The Stop-the-Clock directive, adopted in April 2025, delayed Wave 2 reporting by two years. Wave 2 companies now report FY2027 in 2028 rather than FY2025 in 2026. The original Wave 3 population of listed SMEs is largely removed from mandatory scope. This is why 2026 is, for most non-Wave-1 companies, a preparation year rather than a reporting year.

Wave 1 exemption is optional, not automatic

The Omnibus lets member states exempt de-scoped Wave 1 entities from FY2025 and FY2026 reporting. The key word is "lets." Until your specific member state writes that exemption into national law, you remain obligated. Tracking this kind of moving target is exactly where regulatory intelligence and horizon scanning earns its place in the compliance stack.

Datapoint simplification is future-dated

EFRAG delivered streamlined ESRS that reduce mandatory datapoints by roughly 61 percent and remove voluntary disclosures. This is the change most often misreported. The simplified ESRS are expected to apply from FY2027, with optional early adoption for FY2026. They do not govern the 2026 report. For FY2025, Wave 1 companies use the original ESRS with the Quick Fix reliefs already in force. You can confirm the technical detail directly through the European Commission's sustainability reporting pages and EFRAG.

CSRD Omnibus changes versus unchanged Wave 1 reporting obligations for 2026

Click on image to view full

What Has Not Changed: Double Materiality and Assurance

Two pillars survive the Omnibus intact, and both shape the 2026 report.

📌 Double materiality assessment remains mandatory. You still assess both how sustainability matters affect the business (financial materiality) and how the business affects people and environment (impact materiality). The simplified standards refine this process for the future, but for FY2025 the existing approach applies.

📄 Limited assurance is still required over the sustainability statement. Notably, the Omnibus removed the previously signaled escalation toward reasonable assurance, holding the requirement at limited. That does not lower the evidentiary bar in practice. An assurance provider will still test whether your disclosures are supported by traceable, time-stamped evidence, which is where continuous audit-ready documentation becomes decisive.

No software and no consultancy makes a report audit-proof. The realistic objective is to be audit-ready: to reduce surprises and shorten the time it takes to produce a defensible evidence pack when an assurer or regulator asks.

The Manufacturer Angle: ESRS E2 and E5

For manufacturers, the most resource-intensive parts of an ESRS report are often the environmental topical standards, and they overlap heavily with compliance data you already hold.

ESRS E2: Pollution

ESRS E2 covers substances of concern and substances of very high concern. That maps directly onto your REACH SVHC obligations, your RoHS restricted substances data, and your PFAS exposure across products. The same substance declarations that feed your product compliance program are the evidentiary base for E2 disclosures.

ESRS E5: Resource use and circular economy

ESRS E5 covers resource inflows and outflows, material composition, and circularity. This draws on bill-of-materials data, recycled content, and material mapping. Organizations practicing BOM-level material mapping already hold much of the structured data E5 expects, rather than reconstructing it manually each cycle.

A practical CORA example

A common request is: "Generate an ESRS E5 substance and material disclosure for product line Y from existing REACH and RoHS data." CORA-powered regulatory intelligence can assemble that view from the product-level records already in the system, so the disclosure is sourced from the same backbone that supports materials and environmental compliance, not a separate, manually maintained ESG spreadsheet.

Reporting and Documentation Challenges

The recurring failure mode in CSRD reporting is not analytical, it is evidentiary. Teams can describe a metric but cannot show, on demand, where the number came from, who provided it, and when.

⚠️ Fragmented source data sits in ERP, PLM, supplier emails, and standalone spreadsheets.
⚠️ Supplier responses arrive in inconsistent formats, with the new Omnibus value-chain cap limiting what you can require from smaller suppliers.
⚠️ Evidence lacks version history, so reproducing a prior-period figure for an assurer is slow and error-prone.

A defensible report depends on evidence chain integrity: a clear record of who submitted each data point, when it was submitted, and on what authority. This is a data versioning problem as much as a sustainability problem, and it is solved with immutable logs, time-stamped declarations, and point-in-time retrieval, the same disciplines used in automated supplier data collection.

Compliance Risk and Enforcement Exposure

Enforcement of CSRD is delegated to national regulators, and penalties are set at member-state level rather than by a single EU-wide figure. The practical exposures are broader than fines:

📌 Assurance qualifications that signal weak data governance to investors and lenders.
⚠️ Customer and OEM audit findings, since procurement teams increasingly request ESG evidence as part of supplier qualification.
🔗 Value-chain pressure, where your own customers' CSRD obligations cascade data requests down to you, regardless of your own scope status.

For a deeper view of how reporting gaps become operational risk, see why ESG failure is a supply chain risk, not just a reporting issue.

Wave 1 2026 Readiness Checklist

✅ Confirm your member state's transposition status and whether any Wave 1 exemption applies to you yet.
✅ Confirm you are reporting FY2025 against the original ESRS with Quick Fix reliefs, not the simplified standards.
✅ Refresh your double materiality assessment for the FY2025 period.
✅ Map ESRS E2 and E5 datapoints to existing REACH, RoHS, PFAS, and BOM data sources.
✅ Establish a single, versioned evidence repository with time-stamped, attributable records.
✅ Prepare your limited assurance evidence pack before the assurer's fieldwork begins.
✅ Decide whether to early-adopt simplified ESRS for FY2026 or stay on the current basis.

Workflow mapping product compliance data to ESRS E2 and E5 disclosures for CSRD

Click on image to view full

Continuous Reporting vs. Consultancy-Led Reporting

A consultancy-led report is built once a year, by hand, from data gathered in a sprint. It produces a document, but it does not produce a system. When the assurer asks how a FY2025 figure was derived, or when a customer audit lands in FY2026, the work effectively restarts.

A continuous model treats disclosure as an output of a maintained data backbone. The same centralized compliance data backbone that tracks substances and suppliers year-round produces the ESRS view on demand. The difference shows up most clearly under limited assurance, where reproducibility and traceability, not narrative, determine how smoothly fieldwork goes.

How AI and a Compliance Data Backbone Support ESRS

AI-native compliance automation does not replace your reporting judgment. It removes the manual retrieval, reconciliation, and formatting that consume most of the reporting cycle.

🤖 AI document parsing and certificate validation extracts substance and material data from supplier declarations and test reports at intake.
📊 BOM-level compliance intelligence links those declarations to specific products, so E2 and E5 disclosures trace to real components.
📄 Continuous audit-ready documentation maintains the version history an assurer needs for point-in-time evidence.
🔗 Multi-tier supply chain transparency and supplier self-service portals keep value-chain data current within the limits the Omnibus value-chain cap allows.

For how this works across the supply base, see how Certivo streamlines ESG data collection across your supply chain.

Executive Conclusion

CSRD Wave 1 reporting is not over, and 2026 is not a pause. Wave 1 companies report FY2025 under the original ESRS this year, double materiality and limited assurance both remain in force, and the simplified standards everyone is discussing apply later, not now. The Omnibus narrowed who reports in the future, but it did not retire the current obligation for companies still in scope.

For manufacturers, the most efficient path is to recognize that ESRS E2 and E5 run on the substance and material data you already collect for REACH, RoHS, PFAS, and conflict minerals. Sourcing those disclosures from a continuous, product-level compliance backbone, rather than rebuilding them by hand each year, is what makes a Wave 1 report defensible under assurance.

📌 To pressure-test your FY2025 readiness and see where your existing compliance data already satisfies ESRS, Book a Compliance + ESG Data Foundation Workshop or speak with a compliance specialist.