The early 2026 “Omnibus” reform has been widely framed as a simplification exercise — fewer companies in scope, delayed timelines, and lighter administrative burdens.
But as our past analysis of the Omnibus pivot correctly points out, this is not deregulation. It is a shift from breadth to precision.
Nowhere is that more visible than in how the Omnibus reshapes Corporate Sustainability Due Diligence Directive (CSDDD) programs.
The Headline Change: Narrower Scope, Sharper Expectations
The Omnibus materially raises the thresholds for CSDDD applicability:
- EU companies: >5,000 employees + €1.5B turnover
- Non-EU companies: €1.5B EU turnover threshold
At the same time, timelines are pushed out:
- Transposition: 2028
- First application: 2029
On paper, this removes many companies from direct regulatory scope.
In practice, it does something more important:
It concentrates regulatory pressure on fewer companies — while raising expectations on how due diligence is executed.
The Structural Shift: From Blanket Mapping to Risk-Based Forensics
One of the most consequential changes is the redefinition of value chain coverage.
Before Omnibus
- Broad expectation to map and assess entire value chains
After Omnibus
- Mandatory focus on:
- Own operations
- Subsidiaries
- Direct business partners
- Deeper tiers only when there is “objective and verifiable risk”
What This Means Operationally
This is not simplification. It is prioritization under scrutiny.
CSDDD programs must now answer:
- Why this supplier was assessed — and not another
- What constitutes “objective risk” in your model
- How escalation decisions are triggered and documented
This is a shift from:
- Static supplier mapping
To:
- Defensible, evidence-based risk selection
The End of “Checkbox Due Diligence”
The Omnibus also softens certain enforcement mechanisms:
- Removal of harmonized EU civil liability
- Greater reliance on national enforcement
- Administrative fines capped (e.g. ~3% turnover)
At first glance, this appears to reduce legal exposure.
But it introduces a more complex reality:
Enforcement becomes less uniform — but more investigative.
Regulators will increasingly evaluate:
- The quality of risk identification logic
- The credibility of mitigation actions
- The traceability of decisions
In other words:
- You are no longer judged on coverage
- You are judged on judgment
The Hidden Shift: Due Diligence Decoupled from Reporting
Another subtle but critical change:
- Climate transition plan obligations are removed from CSDDD
- But remain under CSRD (when material)
This creates a structural split:
Function | Primary Directive |
Reporting & disclosure | CSRD |
Risk identification & mitigation | CSDDD |
Why This Matters
CSDDD programs can no longer rely on reporting frameworks to “carry” due diligence.
They must stand alone as:
- Operational systems
- Risk engines
- Decision frameworks
This aligns with a broader trend Vectra has highlighted:
Governance maturity is now measured by internal control systems, not external disclosures.
The New Core Capability: Risk-Based Evidence Architecture
Under the Omnibus, leading due diligence programs will require three structural upgrades:
1. Risk Taxonomy Engineering
Define what constitutes:
- Human rights risk
- Environmental exposure
- Supplier criticality
This must be consistent, auditable, and explainable.
2. Trigger-Based Escalation Systems
You must demonstrate:
- When deeper-tier analysis is required
- What data triggered that decision
- How quickly the response occurred
This moves due diligence into real-time operational logic.
3. Evidence Aggregation Layers
Companies must be able to reconstruct:
- Supplier relationships
- Risk signals
- Actions taken
Not as narratives — but as data-backed audit trails.
The Strategic Reality: Fewer Companies, Higher Stakes
The Omnibus reduces the number of companies formally in scope.
But it simultaneously:
- Raises expectations for those that remain
- Extends indirect pressure across supply chains
- Aligns due diligence with investor-grade scrutiny
As broader ESG frameworks continue to require risk management (CSRD, forced labor laws, sectoral rules), due diligence remains systemically relevant beyond CSDDD itself
What This Means for Vectra’s Clients
For organizations operating complex global supply chains, the implication is clear:
This is no longer about building a due diligence program.
It is about building a due diligence system.
That system must:
- Integrate procurement, compliance, and operations
- Prioritize risk dynamically — not statically
- Produce defensible, regulator-ready evidence on demand
Final Thought: The Illusion of Simplification
The Omnibus will be interpreted by many as regulatory relief.
But the deeper signal is this:
- Less reporting breadth
- More operational accountability
CSDDD due diligence is no longer about proving you looked everywhere.
It is about proving you looked in the right places — for the right reasons — with evidence to back it up.
