Your Business Is Part of Someone Else’s Compliance: CSRD 2026 and the New Reality
Formally, for large companies. In reality, for everyone
Yes, the updated requirements are primarily aimed at the largest companies. But in today’s economy, no corporation operates in a vacuum, and when audited, it reveals not only itself but also its supply chain. And this means that the questions ‘trickle down’ - to contractors, suppliers, logistics partners and service companies of all sizes. If you work with a large business, you are already part of its audit system.
In reality, it looks much more prosaic and straightforward. No grandiose terms or complex directives. A major client simply sends a supplier questionnaire - a document of several pages where you need to answer questions about key contractors, contingency plans in case of supply disruptions, and risk control measures taken.
Sometimes it is a standard form from the procurement department. Sometimes it is a detailed questionnaire from an international group. But the essence is the same: the company must explain how predictable its business is.
Yes, the updated requirements are primarily aimed at the largest companies. But in today’s economy, no corporation operates in a vacuum, and when audited, it reveals not only itself but also its supply chain. And this means that the questions ‘trickle down’ - to contractors, suppliers, logistics partners and service companies of all sizes. If you work with a large business, you are already part of its audit system.
In reality, it looks much more prosaic and straightforward. No grandiose terms or complex directives. A major client simply sends a supplier questionnaire - a document of several pages where you need to answer questions about key contractors, contingency plans in case of supply disruptions, and risk control measures taken.
Sometimes it is a standard form from the procurement department. Sometimes it is a detailed questionnaire from an international group. But the essence is the same: the company must explain how predictable its business is.
The questions are generally not theoretical. How many alternative suppliers do you have? How quickly could you replace a critical component? Do you have insurance covering key risks? Who makes decisions in a crisis situation? Do you carry out due diligence on counterparties? Do you have internal procedures for managing conflicts of interest?
This is no longer just a formality. It is part of the due diligence process prior to signing or renewing a contract. And whereas previously a refusal to cooperate could be explained by price or terms, today the reason is increasingly the phrase ‘insufficient risk transparency’.
Formally, this is an ‘optional’ procedure. In reality, by ignoring it, you are putting the contract at risk.
The focus is shifting towards financial considerations
At the same time, the role of banks and investors is growing. They are interested not so much in the ESG document itself as in the manageability and sustainability of the business model.
In essence, they are asking the same questions as major clients - but within the context of credit risk and investment assessment. This concerns supplier concentration, supply chain vulnerabilities, internal control systems and the company’s ability to respond quickly to disruptions.
Even if you are a small manufacturing company, an IT contractor or a distributor, you may be asked to provide data on ownership structure, governance, HR policies, environmental risks or supply chain resilience.
In any case, even a small business partner has to prove that it is manageable and predictable. The only difference is that now it is not the contract but the funding that depends on the answers.
This is no longer just a formality. It is part of the due diligence process prior to signing or renewing a contract. And whereas previously a refusal to cooperate could be explained by price or terms, today the reason is increasingly the phrase ‘insufficient risk transparency’.
Formally, this is an ‘optional’ procedure. In reality, by ignoring it, you are putting the contract at risk.
The focus is shifting towards financial considerations
At the same time, the role of banks and investors is growing. They are interested not so much in the ESG document itself as in the manageability and sustainability of the business model.
In essence, they are asking the same questions as major clients - but within the context of credit risk and investment assessment. This concerns supplier concentration, supply chain vulnerabilities, internal control systems and the company’s ability to respond quickly to disruptions.
Even if you are a small manufacturing company, an IT contractor or a distributor, you may be asked to provide data on ownership structure, governance, HR policies, environmental risks or supply chain resilience.
In any case, even a small business partner has to prove that it is manageable and predictable. The only difference is that now it is not the contract but the funding that depends on the answers.
In 2026, European regulators began reviewing the requirements for large EU companies. This concerns two key directives: the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD / CS3D). First and foremost, the volume of data (Omnibus I) on social and environmental risks that companies are required to publish regularly is being reduced, as is the information on how their activities affect people and the environment. This sounds like a victory for common sense. But is everything really so rosy?
Formally, both directives and their requirements apply only to major players in the European market. And they should be of little concern to small and medium-sized businesses. However, in practice, things look quite different. It is not the fact of the audit itself that is changing, but its source.
Do small and medium-sized businesses need to comply with the CSRD/CS3D?
Officially, no. In practice, yes – if you work with large clients or raise funding, you will eventually be asked: what underpins your business, where are the weak points, and how do you manage it? Let’s explore this together with the financial advisers at LLC "EIFOS HUB".
Formally, both directives and their requirements apply only to major players in the European market. And they should be of little concern to small and medium-sized businesses. However, in practice, things look quite different. It is not the fact of the audit itself that is changing, but its source.
Do small and medium-sized businesses need to comply with the CSRD/CS3D?
Officially, no. In practice, yes – if you work with large clients or raise funding, you will eventually be asked: what underpins your business, where are the weak points, and how do you manage it? Let’s explore this together with the financial advisers at LLC "EIFOS HUB".
Non-financial risks that translate into financial costs
When an investor or bank asks about social risks, they are actually assessing: whether a dispute with staff could halt production, the risks of workplace injuries, how stable the team is, and what would happen in the event of a staff shortage. When it comes to ‘environmental risks’, they are assessing the likelihood of fines, legal proceedings or a ban on operations. When the supply chain is analysed, the resilience of the operating model is examined: how many suppliers you depend on, what would happen in the event of a disruption, and whether there is a contingency plan for ‘what to do if a key supplier/contractor suddenly leaves the market’ or ‘the service/platform stops working or blocks access’
Thus, even if the volume of formal reporting decreases, expectations regarding the quality of management do not diminish. Moreover, they become less formal and more specific: will you be able to explain the risks and demonstrate that they are being managed, rather than swept under the carpet until the next crisis?
What this means for businesses today
Any business operating within European supply chains or seeking financing must be prepared to demonstrate its risk structure, contractual transparency, supplier diversification and ability to respond swiftly to external shocks.
This is precisely why preparing for the new conditions is not about writing a report ‘just in case’, but about building a management system. A map of key dependencies, a clear structure of accountability, transparent contractual mechanisms and an understanding of regulatory risks are becoming a competitive advantage.
A triumph of common sense or a new market filter?
Major clients, banks or investors will ask questions not because a directive requires it, but because they need to be confident in their partner. Under this logic, the companies that come out on top are those capable of clearly explaining how manageable their business is, what factors it depends on, and what risks they control.
Eifos Hub notes: the due diligence associated with the updates to the CSRD and CS3D directives is changing form. It is shifting from ‘the state demands a report’ to ‘money demands proof’. It is gradually moving from a formal report to the realm of market-driven questions.
This does not mean that every company operating in the European market will face such scrutiny. But such situations will arise more frequently. Banks, investors, clients and partners will continue to assess a counterparty’s predictability - through the transparency and manageability of its business.
And money, as a rule, asks tougher questions than any regulator.
When an investor or bank asks about social risks, they are actually assessing: whether a dispute with staff could halt production, the risks of workplace injuries, how stable the team is, and what would happen in the event of a staff shortage. When it comes to ‘environmental risks’, they are assessing the likelihood of fines, legal proceedings or a ban on operations. When the supply chain is analysed, the resilience of the operating model is examined: how many suppliers you depend on, what would happen in the event of a disruption, and whether there is a contingency plan for ‘what to do if a key supplier/contractor suddenly leaves the market’ or ‘the service/platform stops working or blocks access’
Thus, even if the volume of formal reporting decreases, expectations regarding the quality of management do not diminish. Moreover, they become less formal and more specific: will you be able to explain the risks and demonstrate that they are being managed, rather than swept under the carpet until the next crisis?
What this means for businesses today
Any business operating within European supply chains or seeking financing must be prepared to demonstrate its risk structure, contractual transparency, supplier diversification and ability to respond swiftly to external shocks.
This is precisely why preparing for the new conditions is not about writing a report ‘just in case’, but about building a management system. A map of key dependencies, a clear structure of accountability, transparent contractual mechanisms and an understanding of regulatory risks are becoming a competitive advantage.
A triumph of common sense or a new market filter?
Major clients, banks or investors will ask questions not because a directive requires it, but because they need to be confident in their partner. Under this logic, the companies that come out on top are those capable of clearly explaining how manageable their business is, what factors it depends on, and what risks they control.
Eifos Hub notes: the due diligence associated with the updates to the CSRD and CS3D directives is changing form. It is shifting from ‘the state demands a report’ to ‘money demands proof’. It is gradually moving from a formal report to the realm of market-driven questions.
This does not mean that every company operating in the European market will face such scrutiny. But such situations will arise more frequently. Banks, investors, clients and partners will continue to assess a counterparty’s predictability - through the transparency and manageability of its business.
And money, as a rule, asks tougher questions than any regulator.
Request a consultation
