CSRD 2026: are you within scope and ready to start?

The Omnibus Package has thoroughly redrawn the CSRD landscape. For many companies, the reporting obligation has been removed or postponed. But for a specific group — large unlisted companies with more than 1,000 employees and a turnover above 450 million euros — the obligation remains unchanged. The deadline has been postponed, but preparations are starting now.

In this article, we answer two questions we often hear: as a Wave 2 company, am I still within scope? And what needs to be in place today?

March 12, 2026
by
Katelijne Norga
CSRD general

What has the Omnibus Package changed?

The original CSRD would apply to all large companies with more than 250 employees – a broad net that affected tens of thousands of companies. The Omnibus Package has drastically reduced that scope.

Two changes are crucial for Wave 2 companies:

  • The threshold for the number of employees has been raised from 250 to 1,000.
  • There is a turnover threshold of more than 450 million euros – both criteria must apply.

As a result, a large group of companies that were previously within scope are now exempt from the direct reporting obligation. However, they are not completely exempt: large CSRD-obligated customers or parent companies are increasingly requesting ESG data from their suppliers. The indirect pressure remains real.

For those who are within the scope, the first official report will relate to the 2027 financial year, with initial publication in 2028. That may seem a long way off, but it is not.

Limited assurance is no easy task. An auditor who checks documents without traceable data or formal governance cannot issue a statement.

Why 2027 is closer than you think

A common misconception is: 'The deadline is 2028, we still have two years.' But CSRD reporting is not a report that you put together in the last few months of a financial year. It is an organisation-wide process that starts before the reporting year itself.

Pantarein strongly recommends that Wave 2 companies use the financial years 2025 and 2026 as test years. In concrete terms, this means:

  • Data FY2025: collect a limited data package based on the simplified ESRS drafts, train your teams and test your systems.
  • Dry run on FY2026: create a full test report and have your auditor perform an informal readiness assessment.
  • FY2027: final data collection and formal audit, with publication of the first official report in 2028.

Those who do not take advantage of these test years will lose irreplaceable time to set up data architecture, embed governance and build a materiality analysis that will survive the assurance phase.

Five building blocks that deserve attention now

Based on our work with Wave 2 companies, we consistently see the same five areas where preparation is most underestimated.

1. Double materiality analysis (DMA)

The DMA is the backbone of your entire CSRD preparation. It determines which topics you report on – and therefore also which data you need to collect, which systems you need and what your governance will look like. Starting the DMA too late puts pressure on the entire process.

What a good DMA requires, how to use it strategically and why the revised ESRS standards enable a more pragmatic approach: you can read all about this in our article on double materiality analysis.

→ Read: Double materiality analysis: from check-box to strategic compass

2. Data management

ESRS-compliant data is rarely ready-made in existing systems. Whereas financial reporting relies on consolidated figures from a single system, CSRD reporting requires data from HR, operations, finance, procurement and the supply chain – in a quality that is traceable and reproducible for an external auditor.

Most organisations underestimate what this means operationally: which systems need to be adapted, who supplies which data, via which process and at what frequency? Data architecture is not an IT issue. It is a strategic issue that needs to be addressed in good time.

3. Governance

CSRD reporting without clear ownership will stall. In practice, we see sustainability teams focusing on content, but lacking formal governance and involvement from senior management and the board of directors – even though this is mandatory for the assurance phase.

What is needed: an appointed owner or steering group for the CSRD process, internal control mechanisms, formal approval processes and effective collaboration between sustainability, finance, HR and operations. You cannot build this in a matter of weeks.

4. Reporting processes

You don't write a CSRD report in the last few months of the financial year. Data collection, internal review rounds and assurance preparation run throughout the year. Without a structured annual calendar – with clear deadlines per department and per ESRS theme – delays will pile up.

Use the test years 2025 and 2026 to calibrate those processes. Mistakes in a dry run are instructive; mistakes in the first official report are costly.

5. EU taxonomy

For organisations with relevant economic activities, the EU taxonomy is an additional obligation that is separate from ESRS reporting but is published alongside it. An eligible/aligned assessment, technical screening criteria (TSC) and the DNSH test require specific expertise and preparation. Those who only discover the taxonomy at the time of the final report will face a catch-up process that could have been avoided.

And then there is assurance

A CSRD report must undergo limited assurance. This means that an external auditor – based on random checks and interviews – verifies whether the reported data is plausible and whether the report has been prepared in accordance with ESRS standards.

Limited assurance is no easy task. An auditor who checks documents without traceable data, documented methods or formal governance cannot issue a statement. The quality of your preparation directly determines whether your first report will meet its deadline.

Three mistakes that Wave 2 companies make most often

In our projects, we see a number of patterns that recur in organisations that start too late or underestimate the complexity.

Mistake 1: postponing governance until the data is available

Many organisations want to know what needs to be reported before they think about who is responsible for what. But governance is a prerequisite for good data, not the other way around. Without formal ownership and internal control mechanisms, data collection produces unreliable results – and you only notice this when the auditor is already at the door.

Mistake 2: treating data management as an IT project

ESRS data is not a printout from an existing ERP system. It requires coordination between departments, new measurement processes and a quality framework that is audit-proof. Organisations that delegate data management to IT without strategic guidance from finance or sustainability build data architecture that does not meet ESRS standards.

Mistake 3: Treating assurance as the final step

Limited assurance is not a final check that you schedule once the report is ready. It is a quality test of your entire reporting process – from DMA to data to governance. Those who only start thinking about audit compliance in the final months run the risk of deviations or delayed publication.

Those who do not take advantage of the test years 2025 and 2026 will lose irreplaceable time. The quality of your first report is determined long before the reporting year begins.

Conclusion: the postponement offers breathing space – use it

The Omnibus Package has created breathing space for Wave 2 companies. But that space is not meant to be used to wait and see. It is meant to be used to be well prepared at the start.

Organisations that start now – with a well-thought-out data architecture, clear governance and structured reporting processes – will build a head start that will make a difference when the first official report is due. Not only towards the auditor, but also towards customers, financiers and investors who are already asking questions. This also keeps the pressure on internal teams under control.

CSRD readiness requires organisational capacity that you build up step by step – and that also delivers value beyond the reporting obligation.

Would you like to know where your organisation stands today?

During a half-day CSRD readiness scan, we map out what is already in place, where the gaps are and which steps deserve priority for the next six to twelve months. You will receive a written priority matrix tailored to your organisation.

→ More about the CSRD readiness scan

→ Read the full CSRD hub: are you within scope and haven't started yet?

→ Read also: Double materiality analysis: from check-box to strategic compass

Or contact us directly at mail@pantarein.be

Most recent

 

Overview

Water is becoming scarce. Does your company have a plan?

CBAM: from a new climate measure to a strategic advantage

CSRD 2026: are you within scope and ready to start?

Overzicht
English version
LinkedInNewsletter
Pantarein
Martelarenlaan 9
3150 Haacht

+32 (0)16 60 11 17
mail@pantarein.be
Disclaimer
Privacy Policy
Terms and Conditions
KMO-portefeuille
Close Cookie Popup
Cookie instellingen
Door op "Alle cookies accepteren" te klikken, gaat u akkoord met het opslaan van cookies op uw apparaat om de navigatie op de site te verbeteren, het gebruik van de site te analyseren en onze marketinginspanningen te ondersteunen.
Cookie instellingen
Accepteer alle cookies
Afwijzen
Close Cookie Preference Manager
Cookie instellingen
Door op "Alle cookies accepteren" te klikken, gaat u akkoord met het opslaan van cookies op uw apparaat om de navigatie op de site te verbeteren, het gebruik van de site te analyseren en onze marketinginspanningen te ondersteunen.
Strict noodzakelijk (altijd actief)
Cookies die nodig zijn voor de basisfuncties van de website.
Accepteer alle cookies
Instellingen opslaan
Made by Flinch 77
Oops! Something went wrong while submitting the form.