Skip to content
Home

12 August 2025 | 3 min

Changes to CSRD and CS3D: What Companies Need to Know

In summer 2025, the EU adopted significant amendments to the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CS3D). The aim of these changes is to reduce the burden on companies without compromising the EU’s sustainability and human rights objectives. The new regulations affect thresholds, reporting obligations, and due diligence requirements – with considerable implications for Governance, Risk Management, and Compliance (GRC).

CSRD CS3D summary en

Key Takeaways

  • Higher thresholds for CSRD and CS3D applicability
  • Removal of reporting obligations for listed SMEs
  • Risk-based approach to due diligence
  • Extended implementation deadline until July 26, 2028
  • Goal: Reduce bureaucracy while maintaining sustainability and human rights standards

Why the Changes Were Introduced

The original requirements of CSRD and CS3D drew criticism, particularly from mid-sized companies and industry associations. Main concerns included excessive administrative workload, lack of resources for implementation, and insufficient consideration of sector-specific risks. The EU responded with a revision that makes the requirements more risk-oriented and less administratively demanding, while keeping the core objectives intact.

What Has Changed

1. Higher Thresholds

The turnover and employee thresholds that determine whether the directives apply have been raised. This means fewer companies are subject to reporting and due diligence obligations.

2. Removal of Reporting Obligations for Listed SMEs

Listed small and medium-sized enterprises (SMEs) are no longer required to produce detailed sustainability reports under the CSRD.

3. Risk-Based Due Diligence

Companies must now implement due diligence primarily where human rights and environmental risks are highest. This enables a more targeted and resource-efficient approach.

4. Extended Implementation Deadline

The deadline for implementing the directives has been extended to July 26, 2028, giving companies more time to adapt their processes and systems.

Impact on Governance, Risk & Compliance

These changes highlight the growing importance of integrated GRC strategies. Companies that proactively align their governance and risk management processes with the new requirements will not only ensure compliance but also gain competitive advantages.
A risk-based approach also means companies must enhance their risk assessment processes – covering everything from supply chain oversight to internal operations and strategic decision-making.

Conclusion

By adjusting the CSRD and CS3D, the EU is addressing valid concerns from businesses without abandoning its ambitious sustainability goals. For companies, this is an opportunity to refine their sustainability and compliance strategies in a more focused and efficient way.

FAQ

1. What is the CSRD?
The Corporate Sustainability Reporting Directive requires certain companies to disclose their sustainability and ESG data.

2. What is the CS3D?
The Corporate Sustainability Due Diligence Directive establishes due diligence obligations for companies to prevent human rights and environmental violations throughout their value chains.

3. Which companies are affected by the changes?
Primarily mid-sized companies, listed SMEs, and businesses with international supply chains.

4. Why is the EU adopting a risk-based approach?
To direct resources to areas with the highest risks while reducing administrative burdens.

5. How should companies prepare?
By reviewing internal risk assessments, updating GRC processes, and integrating the new requirements into their overall strategy early on.

Share

Related posts

Different privacy values between European Union & United States
21 December 2021 | 5 min

Different privacy values between European Union & United States

 GDPR and the EU view on privacy The enactment of the EU General Data Protection Regulation (GDPR) has elevated the significance of personal data protection for institutions operating in the European Union (EU) and beyond. Global tech companies like Meta Platforms Inc. (Meta), Google, and Microsoft have faced heightened scrutiny in this regard. Meta and<a href="https://zazoon.com/fishtext-is-used-by-designers-planners/">Continue reading <span class="sr-only">"Different privacy values between European Union & United States"</span></a>
Read more
EU Cyber Resilience Act (CRA): A New Era for Governance, Risk & Compliance in Cybersecurity
22 April 2025 | 4 min

EU Cyber Resilience Act (CRA): A New Era for Governance, Risk & Compliance in Cybersecurity

 Introduction: The Cyber Resilience Act Transforms GRC and Cybersecurity In today’s digital landscape, cyberattacks are no longer exceptions — they’re part of everyday business risks. With the introduction of the EU Cyber Resilience Act (CRA), the European Union is setting a groundbreaking global standard for the security of digital products and software. Companies now face<a href="https://zazoon.com/eu-cyber-resilience-act-cra-a-new-era-for-governance-risk-compliance-in-cybersecurity/">Continue reading <span class="sr-only">"EU Cyber Resilience Act (CRA): A New Era for Governance, Risk & Compliance in Cybersecurity"</span></a>
Read more
MiCA: The New EU Crypto Regulation and Its Impact on GRC
26 August 2025 | 3 min

MiCA: The New EU Crypto Regulation and Its Impact on GRC

 The regulation of crypto-assets in the European Union has reached a historic milestone with the introduction of the Markets in Crypto-Assets Regulation (MiCA). Fully applicable since the end of 2024, MiCA establishes, for the first time, a unified legal framework for the crypto market across all EU member states. Its goal is to foster market<a href="https://zazoon.com/mica-the-new-eu-crypto-regulation-and-its-impact-on-grc/">Continue reading <span class="sr-only">"MiCA: The New EU Crypto Regulation and Its Impact on GRC"</span></a>
Read more