CSRD 2026: Wave 2 Deadline, the Omnibus Delay, and Why Your Sustainability Reporting Data Must Stay in the EU
Post #1014 in the sota.io EU Compliance Series
The Corporate Sustainability Reporting Directive (CSRD, Directive 2022/2464/EU) is the EU's mandatory ESG disclosure framework — and May 2026 is when wave 2 companies are discovering just how complicated compliance has become. Roughly 50,000 additional companies must now report FY2025 sustainability data under ESRS (European Sustainability Reporting Standards), but a February 2026 Omnibus Simplification proposal has introduced uncertainty: delay by two years, or press on?
Here is the critical point most legal teams miss: the Omnibus proposal is not yet law. Until the European Parliament and Council of the EU co-decide, the current CSRD timeline remains legally binding. Companies that pause their reporting software rollouts because they heard "CSRD is delayed" are making a compliance gamble — and they are storing sensitive ESG data in US-parent-controlled cloud tools in the meantime.
What CSRD Actually Requires
CSRD (Regulation 2022/2464/EU, OJ L 322/15, published 16.12.2022) amends the Non-Financial Reporting Directive (NFRD, Directive 2014/95/EU) and makes sustainability reporting mandatory under auditable ESRS standards.
The Three Reporting Waves
| Wave | Scope | First Report Covers | Report Due |
|---|---|---|---|
| Wave 1 | Large PIEs >500 employees (prev. NFRD scope) | FY2024 | 2025 |
| Wave 2 | All large companies: >250 employees OR >€40m turnover OR >€20m balance sheet total | FY2025 | 2026 |
| Wave 3 | Listed SMEs, small non-complex credit institutions | FY2026 | 2027 |
Wave 1 companies already filed in 2025. Wave 2 — roughly 50,000 entities — are due now.
What ESRS Requires You to Report
ESRS consists of 12 standards covering the full ESG spectrum:
Environmental (ESRS E1–E5):
- E1: Climate change (Scope 1/2/3 greenhouse gas emissions, temperature target alignment)
- E2: Pollution (air, water, soil, substances of concern)
- E3: Water and marine resources
- E4: Biodiversity and ecosystems
- E5: Resource use and circular economy
Social (ESRS S1–S4):
- S1: Own workforce (pay gap, safety, working conditions, collective bargaining)
- S2: Workers in the value chain
- S3: Affected communities
- S4: Consumers and end-users
Governance (ESRS G1):
- Business conduct (anti-corruption, lobbying, payment practices)
Plus ESRS 1 (general requirements) and ESRS 2 (general disclosures) which apply to all.
The Data Infrastructure Implication
Collecting and auditing ESRS data requires software infrastructure that:
- Integrates with ERP/finance systems (energy bills, payroll, procurement)
- Captures Scope 3 supply chain emissions
- Stores employee social data (S1 — pay equity, safety incidents)
- Produces XBRL-tagged filings for regulators
- Supports double materiality assessment (DMA) workflows
Every one of these requirements involves sensitive financial, HR, and operational data — exactly the category most exposed to CLOUD Act risk.
The Omnibus Simplification: What It Is, What It Isn't
On 26 February 2026, the European Commission published the Corporate Sustainability Omnibus (COM(2026) 87 final), a simplification package that proposes:
- Delaying wave 2 and wave 3 by two years (FY2025 → FY2027 for wave 2)
- Narrowing the scope of mandatory ESRS disclosures (removing ESRS E2–E5 from mandatory to voluntary for most entities)
- Raising the CSRD threshold (shifting from >250 employees to >1,000 employees for mandatory scope)
- Reducing ESRS data points by approximately 70%
Why Companies Cannot Simply Wait
The Omnibus is a Commission proposal. It must now pass through:
- European Parliament (ECON committee, followed by plenary vote)
- Council of the European Union
- Trilogue negotiation between Parliament and Council
- Publication in the Official Journal
As of May 2026, the legislative process is at early Council working party stage. The earliest realistic adoption timeline is late 2026 or Q1 2027 — and even then, it would need national transposition for some elements.
The binding legal position today: Wave 2 companies (>250 employees or €40m+ turnover or €20m+ balance sheet) remain legally obligated to report FY2025 data under the current CSRD timeline unless and until amending legislation is adopted and takes effect.
CSRD Reporting Software: US Tools Dominate, CLOUD Act Risk Follows
The enterprise sustainability reporting software market is dominated by US-incorporated vendors. Here is what that means for EU companies' data.
IBM Envizi (IBM Environmental Intelligence Suite)
Corporate structure: IBM Corporation, Armonk, New York 10504, USA. Delaware incorporated.
CLOUD Act exposure: IBM is unambiguously subject to the Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713). US government can compel IBM to produce customer data stored anywhere in the world, including IBM Cloud EU Frankfurt regions.
Data processed: Scope 1/2/3 emissions, energy bills, water consumption, waste data, ESG metrics.
GDPR concern: IBM Envizi relies on Standard Contractual Clauses for EU-US data transfers. Transfer Impact Assessments (TIAs) required under Art.46(1) GDPR must account for CLOUD Act compellability — which undermines the TIA analysis.
Risk level: HIGH
Salesforce Net Zero Cloud
Corporate structure: Salesforce, Inc., San Francisco, California, USA. Delaware incorporated.
CLOUD Act exposure: Subject to US government data requests despite EU data centre availability. The Salesforce EU Operating Headquarters (salesforce.com/eu) is a marketing entity, not the data controller — Salesforce, Inc. remains the data processor.
Data processed: Carbon accounting, supply chain emissions (Scope 3), climate targets, employee diversity data (aligns with S1 ESRS).
GDPR concern: Employee pay equity and diversity data (ESRS S1) is personal data under GDPR Art.4. Salesforce's EU DSGVO DPA covers SCCs but does not eliminate CLOUD Act jurisdiction.
Risk level: HIGH
Workiva (Workiva ESG Reporting)
Corporate structure: Workiva Inc., Ames, Iowa 50010, USA. Iowa incorporated, NASDAQ: WK.
CLOUD Act exposure: US-headquartered, no EU legal entity with data control authority. Financial and ESG data processed under US jurisdiction even when hosted in AWS eu-west-1 (Dublin).
Data processed: ESRS narrative disclosures, XBRL tagging, audit trail documentation, board governance data.
Speciality concern: Workiva's core value proposition is "audit-ready" reporting. The irony: the audit trail itself — documenting your company's most sensitive operational and governance decisions — sits in a US-compellable system.
Risk level: HIGH
Diligent One Platform
Corporate structure: Diligent Corporation, 1385 Broadway, New York, NY 10018, USA. New York incorporated.
CLOUD Act exposure: Full US jurisdiction. Diligent markets a "Diligent Trust" framework but this is a contractual arrangement, not a legal barrier to US government access.
Data processed: Board meeting governance, executive compensation disclosure (ESRS G1), whistleblower reports linked to CSRD governance disclosures.
Risk level: HIGH
Watershed
Corporate structure: Watershed Technology Inc., San Francisco, California, USA.
CLOUD Act exposure: California-based startup, full US CLOUD Act jurisdiction.
Data processed: Scope 3 supply chain emissions, supplier data, carbon accounting.
Risk level: HIGH
SAP Sustainability (SAP BTP Basis)
Corporate structure: SAP SE, Walldorf, Baden-Württemberg, Germany. German Societas Europaea — NOT a US entity.
CLOUD Act exposure: SAP SE itself is not subject to CLOUD Act. However, SAP Business Technology Platform (BTP) can run on AWS, Azure, and Google Cloud infrastructure in various deployment options. If SAP customers choose hyperscaler-backed BTP infrastructure managed by SAP's US subsidiary (SAP America Inc.), CLOUD Act exposure can re-enter through that path.
GDPR position: SAP SE as German SE is subject to German BDSG and GDPR directly. Data stored under SAP-managed EU infrastructure (SAP Hana Cloud EU Hetzner nodes or SAP-owned Frankfurt DC) avoids the CLOUD Act vector.
Risk level: LOW (if EU-native SAP infrastructure used), MEDIUM (if hyperscaler BTP with US parent management)
EU-Native CSRD Reporting Tools
Sweep (Paris, France)
Corporate structure: Sweep SAS, Paris, France. French Société par Actions Simplifiée.
Jurisdiction: French company law (Code de Commerce). No US parent. No CLOUD Act exposure.
Features: Scope 1/2/3 carbon accounting, ESRS alignment, double materiality assessment, supplier engagement tools. AWS eu-west-3 (Paris) infrastructure.
ESRS coverage: E1 (Climate), G1, partial S1. Not yet full ESRS suite.
Revenue model: Enterprise SaaS.
sota.io angle: Custom CSRD data collection apps, ESG dashboards, and internal tooling deployed via sota.io remain entirely in EU jurisdiction.
EcoVadis
Corporate structure: EcoVadis SAS, Paris, France. French SAS. No US parent.
Jurisdiction: French commercial law. No CLOUD Act exposure.
Features: ESG rating platform (for supply chain ESRS S2 assessments), sustainability scorecards, questionnaire-based assessments. Strongest in Scope 3 supply chain evaluation.
ESRS coverage: Strong for S2 (value chain workers), partial E1. Not a comprehensive ESRS reporting platform.
Note: EcoVadis positions primarily as a supplier risk rating service rather than a full CSRD filing solution.
Greenomy
Corporate structure: Greenomy SA, Brussels, Belgium. Belgian naamloze vennootschap. No US parent.
Jurisdiction: Belgian company law. No CLOUD Act exposure.
Features: EU Taxonomy alignment tool, ESRS gap analysis, double materiality workflows. Built specifically for the EU regulatory stack.
ESRS coverage: Strong for EU Taxonomy (E1 through E5), ESRS 2, governance disclosures. Growing ESRS suite.
Target market: Medium enterprises subject to CSRD wave 2.
Position Green
Corporate structure: Position Green AB, Stockholm, Sweden. Swedish aktiebolag. No US parent.
Jurisdiction: Swedish company law (aktiebolag). EU/EEA entity. No CLOUD Act exposure.
Features: ESG data collection platform, stakeholder reporting, ESRS data point management, automated data aggregation from operational systems.
ESRS coverage: Broad ESRS coverage including E, S, and G standards.
Compliance Checklist (Wave 2, FY2025 Filing)
Pre-Filing (Q1/Q2 2026):
- Confirm your company qualifies as "large company" under CSRD Art.3(4) — two of three criteria: >250 employees, >€40m turnover, >€20m balance sheet
- Determine first application date — if listed on EU regulated market, potentially wave 1
- Conduct double materiality assessment (DMA) per ESRS 1
- Identify material sustainability topics (which ESRS standards apply)
- Assess whether your CSRD reporting software processes personal data (ESRS S1 pay data = personal data under GDPR Art.4)
- Review SCCs and TIAs for any US-parent cloud tools used in ESG data processing
- Engage statutory auditor (or third-party assurer) for limited assurance on CSRD disclosures
Data Infrastructure:
- Map all data sources feeding ESRS disclosures (energy bills, HR systems, supply chain data)
- Audit whether data flows to US-parent cloud tools during ESG collection
- If US-parent tools used: document TIA, legal basis, and risk acceptance
- For EU-native tooling: verify no US-parent subsidiary data processing agreement exists
XBRL Tagging:
- CSRD requires machine-readable XBRL-tagged disclosures per Art.29d(1)
- Delegated Regulation on digital taxonomy for ESRS expected Q4 2026 — monitor EFRAG publication
The sota.io Connection
If your team is building custom CSRD data collection pipelines, ESG dashboards for internal reporting, or double materiality assessment tools, the hosting decision matters. EU companies processing ESRS S1 data (employee pay equity, working conditions) and ESRS E1 data (energy procurement, Scope 2 contracts) via custom applications need infrastructure that does not create an additional CLOUD Act transfer risk.
sota.io provides EU-native deployment on Hetzner Germany infrastructure. No US parent. No CLOUD Act exposure. Your custom CSRD tooling stays under German/EU jurisdiction.
Summary Table
| Tool | HQ | CLOUD Act | ESRS Coverage | Target Size |
|---|---|---|---|---|
| IBM Envizi | New York, USA | ⛔ High | Broad | Enterprise |
| Salesforce Net Zero Cloud | San Francisco, USA | ⛔ High | Broad | Enterprise |
| Workiva | Iowa, USA | ⛔ High | Broad | Enterprise |
| Diligent One | New York, USA | ⛔ High | G1, governance | Enterprise |
| Watershed | San Francisco, USA | ⛔ High | E1 (Scope 3) | Mid-market |
| SAP Sustainability | Walldorf, Germany | ✅ Low (EU infra) | Broad | Enterprise |
| Sweep | Paris, France | ✅ None | E1, G1 | Mid-market |
| EcoVadis | Paris, France | ✅ None | S2, partial E1 | Mid-market |
| Greenomy | Brussels, Belgium | ✅ None | Taxonomy, ESRS 2 | SME/Mid |
| Position Green | Stockholm, Sweden | ✅ None | Broad ESRS | Mid-market |
The pattern is consistent across EU compliance software: US-headquartered vendors dominate market share, but the underlying legal risk of CLOUD Act compellability follows corporate structure, not server location. For CSRD data — which includes sensitive employee compensation data, supplier financial information, and governance documentation — the jurisdictional choice matters.
The Omnibus may delay the formal deadline. The data sovereignty risk does not wait for the legislative calendar.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.