CSRD Omnibus I Value Chain Cap: What the New Reporting Boundary Means in Practice

Last updated: May 2026

If your sustainability reporting team has been sending broad data questionnaires to every supplier in the chain, the CSRD value chain cap changes what you can legally require them to answer. On 6 May 2026, the European Commission published explanatory information clarifying how this cap works. I have spent the morning pulling it apart, and the practical consequences are more specific than the headline suggests.

The cap does not stop you asking questions. It stops you requiring answers above a defined ceiling. That distinction matters for how you draft supplier agreements, structure data requests, and plan your ESRS disclosures from 2027 onwards.

Related reading: CSRD Sustainability Reporting

What the CSRD Value Chain Cap Actually Does

The Omnibus I Directive (Directive 2026/470, published in the Official Journal on 26 February 2026, entered into force on 18 March 2026) introduced a prohibition. Companies subject to the CSRD cannot require companies in their value chain with 1,000 employees or fewer to provide sustainability information exceeding what the voluntary sustainability reporting standard specifies.

The Directive calls these smaller entities “protected undertakings.” A protected undertaking is one that (i) does not exceed an average of 1,000 employees during the preceding financial year and (ii) sits in the value chain of a CSRD reporting undertaking. The size test is binary: either the entity has more than 1,000 employees, or it does not. If it does not, the cap applies.

I have seen teams assume this means they cannot collect value chain data at all. Wrong. The cap limits what you can require. You can still request information above the cap. But if you do, you must clearly indicate which requested items exceed the cap, and you must inform the supplier of its statutory right to decline.

Any contractual clause that violates these requirements may be deemed invalid. If your current supplier agreements contain blanket sustainability data obligations without distinguishing what falls within versus above the cap, those clauses have a legal problem once member states transpose.

The Two-Tier Protection Mechanism

The cap is not uniform across all protected undertakings. The Commission’s voluntary standard uses two modules: a basic module designed for the smallest entities (micro-undertakings) and a comprehensive module that builds on the basic one. Application of the basic module is a prerequisite for applying the comprehensive module. Each disclosure in the standard is classified into one of four categories:

• “Necessary” disclosures that a company applying the standard must report
• “Necessary if applicable” disclosures that apply only under certain conditions
• “Voluntary” disclosures the company may choose to report
• “Consideration when reporting sector information” for sector-specific items

The value chain cap equals only the “necessary” disclosures in both the basic and comprehensive modules. CSRD companies cannot require protected undertakings to provide anything beyond those “necessary” items.

Here is where the two tiers emerge. For companies with 11 to 1,000 employees, the full set of “necessary” disclosures from both modules applies. For companies with 10 employees or fewer (micro-undertakings), some disclosures that are “necessary” for larger companies are downgraded to “voluntary.” The effect is a narrower cap for micro-undertakings. They enjoy extra protection.

Annex II of the voluntary standard delegated act (currently out for public feedback via the Have Your Say portal) summarises exactly which disclosures fall inside the cap for each tier. If your value chain includes a mix of micro-undertakings and mid-size suppliers, you need two versions of your data request template.

How to Identify Protected Undertakings

Before you can apply the cap, you need to know which entities qualify. The Directive allows reporting undertakings to rely on a self-declaration from value chain companies. You do not need to verify it unless you know, or can reasonably be expected to know, that the declaration is manifestly incorrect.

Operationally, this means adding a simple question to your onboarding or annual data collection: “Does your company employ more than 1,000 people?” If the answer is no, the cap applies. You do not need headcount evidence or payroll verification unless something is obviously wrong.

I anticipate most teams will build this into their supplier portals or ESG questionnaire preambles. The operational cost is low. The legal risk of not doing it, once transposition happens, is that your data requirements become unenforceable and your contractual clauses void.

What Changes for Data Requests to Suppliers

The most common mistake I see in current CSRD implementation projects is the “maximum extraction” approach. Teams send comprehensive questionnaires to every supplier, asking for everything they might conceivably need for double materiality or ESRS topical disclosures.

The Commission’s explanatory information is explicit on this point. Recital 12 of the Omnibus I Directive states that reporting undertakings should “only request information from undertakings in their value chain insofar as necessary.” They should request less than the full voluntary standard if they do not need all of it.

This changes the design logic for data collection. Instead of building a single exhaustive questionnaire, teams now need to:

• Map which value chain entities are protected undertakings (the self-declaration step)
• Define which “necessary” disclosures from the voluntary standard they actually need for their own ESRS reporting
• For any request above the cap, add the mandatory disclosure that the item exceeds the cap and that the supplier has a right to refuse
• Remove or restructure any contractual obligation that currently requires blanket data provision without this distinction

The phrase “insofar as necessary” matters. Even within the cap, you should not be requesting every “necessary” disclosure if you do not need it. The cap is a ceiling, not a target.

What the Cap Does Not Cover

Several things remain unchanged. The cap applies only to information requests made for the purpose of CSRD reporting. If you request sustainability data from a supplier for due diligence under CS3D, risk management, or commercial reasons unrelated to CSRD, those requests fall outside the cap entirely.

The cap does not impose any obligation on protected undertakings to provide information. It limits what the reporting company can require. A supplier with 500 employees can voluntarily provide full comprehensive-module data if it wishes to. Many will, because investor or customer pressure exists independently of legal requirements.

If a protected undertaking voluntarily reports using the full standard, it will have reported everything a CSRD company could legally require. But the CSRD company can still request additional information, provided it flags the excess and the right to refuse.

The Three-Year Transition Relief for Value Chain Data

Separately from the cap (and this is a point teams frequently conflate), the Omnibus I Directive maintains a three-year transition relief. For the first three years of reporting, if a CSRD company cannot obtain all required value chain information, it may explain the reasons, the efforts made, and its plans to obtain the information in future.

After three years, the reporting requirements must be met either through direct information from value chain entities or through estimates.

Where a protected undertaking declines to provide information above the cap, the reporting company must use estimates for that portion. The three-year relief does not override the cap. It applies to information within the cap that the company has not yet been able to collect. These are two separate mechanisms and should be tracked independently in your implementation planning.

Impact on Internal CSRD Implementation

For teams currently building or refining their CSRD reporting processes, the value chain cap creates several concrete workstreams:

First, review your supplier data request templates. Any template that asks for information beyond the “necessary” disclosures in the voluntary standard needs a split version: one for entities above 1,000 employees (no cap) and one for protected undertakings (capped, with right-to-refuse language).

Second, review your supplier contracts. Any sustainability data clause that requires blanket provision of “all information reasonably requested” or similar open-ended language needs amendment. The clause must be compatible with the cap or risk invalidity.

Third, build the self-declaration mechanism. This can be as simple as a yes/no field in your procurement system or ESG platform. Track which suppliers have declared and which have not.

Fourth, map your actual data needs against the voluntary standard’s “necessary” disclosures. In my experience, most CSRD companies do not need everything in the standard from every supplier. A focused materiality-driven approach to value chain data collection was already best practice. The cap now makes it a legal requirement.

Fifth, plan your estimation methodology. Where protected undertakings decline requests above the cap (and many will, because they can), you need defensible estimates. Sector averages, spend-based proxies, or industry databases become your fallback.

Timeline and Status

The Omnibus I Directive (2026/470) entered into force on 18 March 2026. Member states must transpose its provisions into national law. The Commission’s voluntary sustainability reporting standard is currently in public feedback via the Have Your Say portal (published 6 May 2026). The Commission will adopt the final voluntary standard as a delegated act.

Article 29ca, inserted into Directive 2013/34/EU by the Omnibus I Directive, requires the Commission to adopt the voluntary sustainability reporting standards by 19 July 2026. The cap mechanism becomes operational once both the transposition and the delegated act are in place. For companies reporting from financial year 2027, this means the cap should be relevant from day one of their reporting obligation.

Companies that were in CSRD “wave one” (those required to report from financial year 2024 onwards) and remain in scope under the revised thresholds are affected immediately upon transposition. Member States have an option to exempt wave one entities that fall below the new thresholds from reporting for financial years 2025 and 2026. However, given that the voluntary standard is still in feedback, the exact boundary of “necessary” disclosures may shift before the delegated act is finalised.

Common Errors I Expect Teams to Make

Based on what I see in current implementations, three mistakes will be widespread:

First, treating the cap as a ban on value chain data collection. It is not. You can still ask. You cannot require above the ceiling, and you must disclose the right to refuse. Teams that panic and stop collecting value chain data entirely will have gaps in their ESRS reporting.

Second, failing to distinguish the two tiers. A supplier with 8 employees has a narrower cap than one with 200 employees. If you send the same capped questionnaire to both, you may be over-requiring from the micro-undertaking tier.

Third, ignoring the contractual angle. Existing supplier agreements signed before transposition may contain clauses that become invalid. Procurement teams need to be involved, not just sustainability reporting teams.

Frequently Asked Questions

What is the CSRD value chain cap?

It is a prohibition introduced by the Omnibus I Directive (2026/470) that prevents CSRD-reporting companies from requiring entities in their value chain with 1,000 employees or fewer to provide sustainability information beyond the “necessary” disclosures in the Commission’s voluntary sustainability reporting standard.

Does the cap apply to all companies in my value chain?

Only to those with 1,000 employees or fewer (“protected undertakings”). Entities above this threshold have no cap protection and can be required to provide whatever information you need for CSRD reporting.

Can I still ask suppliers for information above the cap?

Yes. You can request it. But you must clearly indicate which items exceed the cap and inform the supplier of its statutory right to decline. You cannot contractually require it.

How do I determine if a supplier is a protected undertaking?

You can rely on a self-declaration from the supplier. No verification is required unless you know or should reasonably know the declaration is manifestly incorrect.

Is the cap different for micro-undertakings?

Yes. Companies with 10 employees or fewer have a narrower cap. Some disclosures that are “necessary” for companies with 11 to 1,000 employees are downgraded to “voluntary” for micro-undertakings, meaning you cannot require those items from them.

What happens to existing supplier contracts that require broad sustainability data?

Contractual provisions that do not comply with the cap requirements (failing to identify protected undertakings, failing to distinguish cap-exceeding requests) may be deemed invalid once member states transpose the Directive.

Does the cap affect data requests made for due diligence under CS3D?

No. The cap applies only to information requests made for the purpose of fulfilling CSRD reporting obligations. Due diligence, commercial, or risk management requests are not covered.

When does the cap become effective?

The Omnibus I Directive entered into force on 18 March 2026. The cap becomes operational upon member state transposition and adoption of the voluntary standard delegated act. For companies reporting from financial year 2027, it should apply from the start of their reporting obligation.

Related Articles

• CSRD Sustainability Reporting – Comprehensive guide to who reports, what gets reported, and the ESRS framework structure
• ESMA ESEF Taxonomy Update 2026 – How the digital reporting taxonomy interacts with CSRD sustainability disclosures
• DAC6 Mandatory Disclosure Rules – Another EU reporting framework with cross-border data collection challenges
• EBA Supervisory Reporting Simplification – The broader EU trend toward reducing reporting burden on smaller entities

Key Takeaways

• The CSRD value chain cap prohibits requiring sustainability data beyond the voluntary standard’s “necessary” disclosures from entities with 1,000 employees or fewer.
• Micro-undertakings (10 employees or fewer) enjoy a narrower cap with fewer “necessary” disclosures than mid-size protected undertakings.
• You can still request information above the cap, but must flag it and inform the supplier of its right to refuse.
• Self-declarations from value chain entities are sufficient to identify protected undertakings. No verification duty unless manifestly incorrect.
• Existing supplier contracts with blanket sustainability data clauses may become invalid upon transposition.
• The cap applies only to CSRD reporting purposes. Due diligence and commercial requests remain unaffected.
• The three-year transition relief for value chain data gaps is separate from the cap mechanism. Track them independently.
• The voluntary standard delegated act is currently in public feedback (published 6 May 2026). Final “necessary” disclosures may shift before adoption.

Sources and References

• European Commission – Feedback on sustainability reporting standards: additional explanatory information regarding the value chain cap (6 May 2026)
• Directive (EU) 2026/470 (Omnibus I Directive) – EUR-Lex
• Draft delegated act – Sustainability reporting standard for voluntary use (Have Your Say portal)
• European Commission – Omnibus Package overview (1 April 2025)
• European Commission – Corporate Sustainability Reporting (legislation page)

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.