See all results
    There are no results matching your search.
      See all results
      There are no results matching your search.
      5th March 2026
      EcoVadis EN

      Value Chain Action & Reporting: Navigating the Post-Omnibus Landscape

      Back to the blog

      Read summarized version with:

      Just released: The Global Supply Chain Sustainability Risk & Performance Index

      Insight From EcoVadis Ratings

      Man and woman talks about work

      Sustainability regulation is evolving to balance ambition with practicality. In 2025, the European Union revised the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD) through the Omnibus Simplification Package I. These revisions aim to reduce the administrative weight on smaller businesses while preserving the core goals of the European Green Deal.

      This brief translates these changes into clarity. It provides a practical overview of the new obligations regarding supply chain data and supplier engagement. What this guide covers:

      • The Critical Intersection: Understanding how the reporting mandates of CSRD and the due diligence requirements of CSDDD are distinct yet overlapping.
      • Engagement Strategy: How in-scope companies can continue to engage trading partners on essential data requirements.
      • Regulatory Expectations: Clarifying the expectations – and protections – for companies that fall outside the direct scope of these directives.

      The core pillars of EU business sustainability: CSRD and CSDDD

      The CSRD and the CSDDD are key legislative frameworks in the European Union that aim to enhance transparency and accountability in corporate sustainability practices. They serve distinct functions: CSRD mandates transparency on sustainability risks, opportunities, and impacts, whereas CSDDD governs the active management of sustainability issues. Together, they shift the focus from simple reporting to comprehensive action across the value chain.

      CSRD: The Disclosure Mandate

      The Corporate Sustainability Reporting Directive creates a common language for corporate reporting. Its purpose is to ensure investors and stakeholders have access to comparable, reliable data regarding a company’s impacts, risks, and opportunities. By requiring disclosure under the European Sustainability Reporting Standards (ESRS), the directive creates a unified framework for sustainability data across the EU.

      The Omnibus I deal has strengthened the role of the VSME. Originally designed for smaller entities under 250 employees, this voluntary framework now applies to companies with fewer than 1,000 employees that fall outside the mandatory scope.

      Timeline: In July 2025, the European Commission adopted recommendations based on EFRAG’s technical advice. The final standard is expected later this year, with a public consultation on potential adaptations scheduled for Q2 2026.

      CSDDD: The Due Diligence Mandate

      The Corporate Sustainability Due Diligence Directive focuses on action. It mandates robust, risk-based systems to identify, prevent, and mitigate adverse human rights and environmental impacts. Crucially, this responsibility extends beyond a company’s own operations to include subsidiaries and global value chains. It is a directive driven by proactive risk management, not just disclosure.

      The Critical Overlap

      These directives are designed to work in tandem. CSDDD creates the obligation to act; CSRD creates the obligation to report on that action. The due diligence activities mandated by CSDDD – such as identifying risks and engaging with partners – generate the processes and outcomes that companies must report under CSRD. With the changes introduced by Omnibus I, this interconnected approach ensures that supply chain information is gathered and reported through a consistent, risk-based lens.

      Source and credit: Circularise

       

      Value Chain Cap: Addressing the Data Burden 

      Legislative changes often create ripples. For CSRD and CSDDD, a primary concern is the “trickle-down effect,” where compliance pressures cascade from in-scope companies to smaller partners. To manage this, the legislation introduces a “value-chain cap,” designed to limit the data burden on the supply chain.

      Value Chain Cap in the CSRD

      Limiting the data collection scope to VSME: For mandatory reporting under CSRD, companies are expected to restrict data requests for suppliers with fewer than 1,000 employees to the Voluntary SME (VSME) standard. The law guarantees these suppliers a statutory right to refuse requests that exceed this scope. 

      Balancing transparency and flexibility: Because supplier size is not always visible, transparency is essential. If a buyer requests data beyond the VSME standard, they must explicitly inform the supplier that it is the case, and of their right to decline. Where companies limit collection to the VSME standard, they are deemed compliant. In cases where primary data is unavailable, the regulation permits the use of estimates or proxies.

      Beyond mandatory reporting: Crucially, the regulation does not prevent buyers from collecting broader information for other purposes. Recital 12 in Omnibus I clarifies that the cap does not prohibit requesting information for risk management, due diligence, or voluntary sharing. The limit applies specifically to data mandated for sustainability reporting.

      Value Chain Cap in the CSDDD

      Effective due diligence is not about collecting all data; it is about collecting the right data. The CSDDD applies a risk-based principle to information collection, ensuring that requests remain proportional to the risk. This means companies must assess severity and likelihood before placing demands on their partners.

      The directive outlines a clear path to identifying potential negative impacts:

      Step 1: Scoping exercise. Companies begin by assessing general risk areas across their operations and key partners using reasonably accessible information. Crucially, at this stage, companies should not directly engage their trading partners.

      Step 2: In-depth assessment. The focus then shifts to specific areas where negative impacts are most likely or severe. This deeper assessment targets the parts of the business where risk is highest.

      Targeted Engagement 

      Detailed assessments often require data that is not publicly available. However, the CSDDD sets a clear boundary to protect smaller partners. If a business partner has fewer than 5,000 employees, information requests must be strictly targeted to the material risks identified in Step 1.

      When information is available from multiple sources, companies should prioritize partners most likely connected to the potential problem. If risks are equal, the focus turns to direct business relationships first. 

      To manage this efficiently, companies can leverage digital tools and multistakeholder initiatives. These resources allow for the mutualization of efforts, reducing the administrative burden across the network. 

      Ultimately, the CSDDD safeguards out-of-scope companies from unnecessary requests while ensuring large companies maintain a rigorous, risk-based view of their value chain.

      Reporting vs. Due Diligence – Critical Distinction 

      It is vital to distinguish between data gathering for reporting (CSRD) and engagement for due diligence (CSDDD). While the “value chain cap” limits the data a company can demand for a CSRD report, it does not restrict CSDDD obligations.

      A company may still be required to engage a supplier to mitigate specific human rights or environmental risks, even if they cannot demand broad data for their sustainability report. This distinction creates a more nuanced, purpose-driven landscape for supplier engagement.

      Monitoring: Shifting to a Risk-Based Cadence

      The regulation moves away from static schedules toward a dynamic, risk-based approach. Companies must regularly verify that they – and their partners – are effectively managing negative impacts. These checks must assess not just what is being done, but whether it is actually working.

      Under the new rules, assessments are triggered by reality, not just the calendar:

      • Trigger-based: Assessments must occur whenever significant changes happen in the value chain.
      • Performance-based: A new assessment is required if there is reason to believe current measures are no longer effective.
      • Minimum baseline: Checks must occur at least once every five years.

      This requirement applies uniformly across the EU, ensuring a consistent standard for risk monitoring regardless of national borders.

      FAQs on Value Chain Cap 

      Q: Can companies in the scope of CSDDD request information from partners with fewer than 5,000 employees?

      A: Yes. Restrictions apply, but they do not block necessary due diligence. If a partner has fewer than 5,000 employees, companies may request information that is necessary and unavailable through other means. The regulation encourages efficiency: if risks are similar, priority should be given to direct business partners. To reduce the burden, companies can leverage digital tools and multistakeholder initiatives, using both quantitative and qualitative data to build their assessment.

       

      Q: Are out-of-scope companies limited strictly to VSME data requests?

      A: No. It is critical to distinguish between reporting and risk management. The VSME cap applies specifically to data requested for CSRD reporting. However, under the CSDDD, companies must still engage suppliers to identify and mitigate human rights or environmental risks. This obligation stands even if the specific data points required for risk management fall outside the VSME standard.

       

      Q: What are the consequences of non-compliance with CSDDD? 

      A: Non-compliance carries significant weight, including investigations, corrective orders, civil liability, and fines (up to 3% of turnover). However, the directive is designed to penalize negligence, not genuine effort. The regulatory framework indicates that companies applying due diligence genuinely and proportionately are not the intended target for automatic penalties.

       

      About the Author
      EcoVadis EN
      EcoVadis is a purpose-driven company dedicated to embedding sustainability intelligence into every business decision worldwide. In 2024, EcoVadis acquired Ulula, a leading worker voice platform that strengthens its capabilities in supporting human rights due diligence. With global, trusted and actionable ratings, businesses of all sizes rely on EcoVadis’ detailed insights to comply with ESG regulations, reduce GHG emissions, and improve the sustainability performance of their business and value chain across 250 industries in 185 countries. Leaders like Johnson & Johnson, L’Oréal, Unilever, Bridgestone, BASF and JPMorgan are among 150,000+ businesses that use EcoVadis ratings, risk, and carbon management tools and e-learning platform to accelerate their journey toward resilience, sustainable growth and positive impact worldwide. Learn more on: ecovadis.com, X or LinkedIn.
      EcoVadis Community: Harness the Power of Peer Connection and Collaboration
      View Now
      New: 5 Key Accelerators of Leading Sustainable Procurement Programs
      View Now
      New: A Four-Step Blueprint for a More Resilient Supply Chain
      View Now
      Just released: The Global Supply Chain Sustainability Risk & Performance Index
      View now