Why ESRS S2-5 got harder post-Omnibus

The Omnibus simplification package was read across the listed-issuer community as a relaxation. The headline numbers supported that reading: scope thresholds raised, data-points reduced, transposition delayed. The reading was incomplete. For listed parents with construction-portfolio operating companies and for PE funds holding industrial assets, the disclosure that matters most — ESRS S2-5, substantiated human-rights incidents involving value-chain workers — was not relaxed. It was strengthened, and the forensic burden at the operating-company level increased rather than decreased.

What Omnibus actually changed

The Omnibus I directive (Directive (EU) 2026/470, in force 18 March 2026) narrowed the entity perimeter and reduced the volume of mandatory ESRS data-points. The visible headline numbers are well known. CSRD scope was raised to undertakings exceeding 1,000 employees and EUR 450 million net turnover, up from the previous 250-employee and EUR 50 million floor. CSDDD scope was raised to undertakings exceeding 5,000 employees and EUR 1.5 billion turnover. CSDDD transposition was pushed from 26 July 2027 to 26 July 2028. The EFRAG Amended ESRS cuts mandatory data-points by approximately 61 per cent, and value-chain worker data-points were given an optional two-year phase-in.

This is the surface reading. The disclosure intensity per in-scope entity did not fall in proportion. For the data-points that survived, the assurance bar went up.

ESRS S2 survives — and S2-5 was strengthened

All five ESRS S2 disclosure requirements remain after the Amended ESRS. S2-1 (policies related to value-chain workers) is retained. S2-2 (processes for engaging with value-chain workers) is retained, with previously separate engagement disclosures consolidated. S2-3 (channels for value-chain workers to raise concerns) is retained. S2-4 (taking action on material impacts on value-chain workers) is retained. And S2-5 (substantiated human-rights incidents involving value-chain workers) is retained and explicitly strengthened. The Amended ESRS introduces a clearer datapoint requiring disclosure of substantiated incidents — not allegations, not unverified complaints, but findings that have been investigated by a defined process and confirmed.

For a CSRD-in-scope listed parent consolidating construction operating companies, or a PE fund consolidating industrial portfolio assets for LP reporting, S2-5 is the surface where forensic granularity matters most. It is the disclosure where the auditor turns from analytical procedures to substantive testing first.

What “substantiated” means in operational terms

This is the analytical core. The S2-5 reporting unit is not “the company received complaints during the period”. It is a specific incident, affecting a named worker or worker group, investigated by a defined process, with a finding established as substantiated, partially substantiated, or unsubstantiated, with remediation taken or in progress, and reportable at the value-chain level — Tier-1 supplier or beyond where material under ESRS 1 §53.

The operational implication is that the operating company must hold, at the deployment gate, a documented grievance channel that satisfies S2-3, a documented investigation process that produces a finding, a documented remediation register linking findings to actions, a documented outcome for each substantiated incident, and a chain-of-custody for the underlying evidence that survives transfer across operating tiers. These are not back-office reporting artefacts. They are operational systems that must exist before any incident occurs, because the act of substantiation requires a process that was already in place when the underlying event happened.

If the per-worker evidence pack was not assembled at deployment, S2-5 disclosure becomes a forensic recovery problem at audit. Recovery typically falls into the second quarter of the year following the reporting cycle, when the operating company is also closing the next deployment cycle and has no operational bandwidth to reconstruct grievance records retroactively. The cost is asymmetric: prevention is cheap, reconstruction is expensive and frequently incomplete.

The four-hop flow-through

The disclosure architecture for a listed parent or PE fund is structurally four hops from the worksite. The operating company holds per-worker grievance, investigation, and remediation records. The workforce-mobilisation operator aggregates those records across the deployment cycle and produces the operator-level evidence pack. The listed parent or PE fund consolidates portfolio operating-company data into the group sustainability statement. The LP or institutional investor receives the fund-level or group-level disclosure as input to its own ESRS S2 report, applying its own materiality lens.

Each hop is audit-traceable. Each hop fails forensically if the evidence was not captured at the worksite. The CFO at the listed parent cannot reconstruct S2-5 substantiated-incidents data from invoices and contractor master agreements. The Operating Partner at the PE fund cannot reconstruct it from portfolio quarterly reporting. The data only exists if the grievance, investigation, and remediation processes were operational on Day-0 of the deployment, and if the per-worker evidence pack was constructed contemporaneously with the work it documents. The CSRD workforce disclosure layer is built at the deployment gate or it is not built at all.

France Loi 2017-399 makes this asymmetric

France retained Loi 2017-399 (devoir de vigilance) with its 5,000 French employee and 10,000 worldwide employee thresholds. It explicitly will not align downward to the new CSDDD floors set in the Omnibus package. For French entities in scope of Loi 2017-399 — which captures most CAC 40 industrials and large French subsidiaries of foreign parents — the Plan de Vigilance obligation is independent of the Omnibus changes. The annual reporting requirement continues. The civil-liability exposure before the Tribunal Judiciaire de Paris remains. S2-5-style substantiated-incidents data is part of the Plan de Vigilance evidence record, regardless of whether the parent is also in scope of CSRD or CSDDD.

For a French parent with construction subsidiaries, the per-worker evidence requirement runs under both CSRD where applicable and Loi 2017-399 independently, and the French regime is unaffected by Omnibus. The asymmetry creates a higher floor in France than the Omnibus headline thresholds suggest.

What this means for the per-worker evidence pack

The pre-Cycle-15 framing of the per-worker evidence pack was that it served as the CSDDD readiness layer. Post-Omnibus, the framing has sharpened. The per-worker evidence pack is now the S2-5 substantiated-incidents source data for in-scope listed entities. It is the Loi 2017-399 Plan de Vigilance substrate for French in-scope entities, continuous and unaffected by Omnibus. It is the CSDDD direct-supplier due-diligence record, operational under the Wave 1 threshold from 26 July 2029 but accruing from the date of deployment. And it is the Modern Slavery Act 2015 §54 disclosure substrate for UK-listed parents whose group operations include UK turnover above the §54 threshold.

Four disclosure regimes, one evidence substrate. The substrate is constructed at the deployment gate, contemporaneously with the work it documents, or it is forensically unrecoverable at year-end. For the listed parent and PE portfolio reader, the operational question is not whether the per-worker evidence pack is built — that question is closed by S2-5 — but whether it is built at the operating-company level early enough to flow up four hops in time for the group disclosure cycle.

The Omnibus simplification narrative is correct on volume and incorrect on intensity. The data-points that survived are the data-points that auditors will substantively test first. S2-5 is at the top of that list.

---

References

1. Directive (EU) 2026/470 of the European Parliament and of the Council amending Directive (EU) 2022/2464 and Directive (EU) 2024/1760 as regards corporate sustainability reporting and corporate sustainability due diligence (Omnibus I), in force 18 March 2026.

2. Directive (EU) 2022/2464 of the European Parliament and of the Council of 14 December 2022 amending Regulation (EU) No 537/2014, Directive 2004/109/EC, Directive 2006/43/EC, and Directive 2013/34/EU, as regards corporate sustainability reporting (CSRD).

3. Directive (EU) 2024/1760 of the European Parliament and of the Council of 13 June 2024 on corporate sustainability due diligence (CSDDD).

4. Commission Delegated Regulation (EU) 2023/2772 of 31 July 2023 supplementing Directive 2013/34/EU as regards sustainability reporting standards (European Sustainability Reporting Standards — ESRS).

5. EFRAG, ESRS S2 — Workers in the Value Chain (Amended), 2026.

6. EFRAG, Implementation Guidance IG 1: Materiality Assessment, January 2024, retained under Amended ESRS.

7. Loi n° 2017-399 du 27 mars 2017 relative au devoir de vigilance des sociétés mères et des entreprises donneuses d’ordre.

8. Modern Slavery Act 2015 (United Kingdom), §54 (Transparency in supply chains).

9. ESRS 1, General Requirements, §53 (Materiality of impacts in the value chain).