The assurance-level problem in EU CSRD limited-to-reasonable transitions

Here's the issue: the EU Corporate Sustainability Reporting Directive requires limited assurance from 2025, with a planned escalation to reasonable assurance in 2028. First-wave reporters assumed limited assurance meant lighter audit procedures and lower costs. However, the December 2025 Omnibus revisions removed the reasonable assurance deadline—but kept the escalation clause. Auditors still design limited assurance engagements with reasonable assurance infrastructure in mind, which means teams that built for limited assurance now face surprise audit costs when the transition arrives.

However, CSRD assurance consists of two things: limited assurance procedures and reasonable assurance procedures. Limited assurance uses inquiry and analytical procedures to obtain negative assurance: "nothing has come to our attention." Reasonable assurance uses substantive testing, control evaluation, and population completeness checks to obtain positive assurance: "the disclosures are fairly presented." These are not incremental—they are structurally different engagement scopes.

Limited assurance on its own has no value if the underlying data quality cannot scale to reasonable assurance. Reasonable assurance is what the EU CSRD Article 2 (amending Audit Directive Article 26a) is designed for: the Commission retains the delegated power to require reasonable assurance "subject to a positive assessment whether the transition is feasible for undertakings and assurance practitioners."^[1] If your sustainability inventory lacks deterministic calculation lineage, population-level evidence, or reproducible methodology documentation, your auditor cannot issue reasonable assurance—no matter how clean your limited assurance opinion looks today.

While limited assurance engagement hours have dropped from initial estimates (PwC UK reported 15–25% reductions in first-wave cycles), reasonable assurance engagement hours are expected to triple. If your ESRS E1 Scope 3 inventory uses supplier-specific primary data without line-item invoice evidence, the cost of reasonable assurance might outpace the €150,000–€300,000 first-wave limited assurance baseline. KPMG estimates reasonable assurance for mid-cap reporters could reach €450,000–€600,000, driven by substantive testing of value-chain data and control walkthroughs for every material disclosure.^[2]

How do you solve this? I think you build for reasonable assurance from the start, even if you are only required to deliver limited assurance today. The operators we work with treat limited assurance as a dress rehearsal: they use the same evidence lineage, the same population completeness checks, and the same methodology documentation that a reasonable assurance engagement would verify. For now, that means every Scope 3 invoice has a line-item emissions calculation with a reproducible method, and every disclosure has a full audit trail from source document to filing.

The shape of the argument, visualised below.

The structural gap between limited and reasonable assurance

The difference between limited and reasonable assurance is not a matter of audit hours—it is a matter of audit architecture. The table below compares engagement procedures across both levels:

The December 2025 Omnibus Package removed the October 1, 2026 deadline for the Commission to adopt reasonable assurance standards, but it did not remove the Commission's delegated power to require reasonable assurance.^[3] The recitals note that the Commission will issue "targeted assurance guidelines by 2026," which suggests interim guidance on how limited assurance should prepare teams for eventual reasonable assurance transitions.

"The EC should then specify when reasonable assurance would be required. The proposal keeps the EC's delegated power to adopt a limited assurance standard proposing to extend this power for an indetermined period. However, it removes the deadline to adopt the limited assurance standard by 1 October 2026. The proposal also deletes an obligation to adopt reasonable assurance standards."^[1]

For first-wave reporters, this creates a planning paradox: the reasonable assurance deadline is indefinite, but the audit infrastructure required for reasonable assurance must be built during the limited assurance phase. If you wait until the Commission announces a transition timeline, you will not have time to retrofit your evidence lineage.

Why limited assurance infrastructure fails at reasonable assurance scale

Most first-wave reporters built their CSRD infrastructure for limited assurance: aggregated supplier emissions, spreadsheet-based Scope 3 calculations, and PDF-based methodology documentation. These systems pass limited assurance because auditors only review management representations and spot-check high-level totals. They fail reasonable assurance because auditors need line-item evidence, reproducible calculations, and population completeness proofs.

The three most common infrastructure gaps we see in limited assurance engagements:

1. Supplier-level aggregates without invoice-level lineage. Your Scope 3 Category 1 inventory shows supplier X contributed 2,400 tCO2e, but the auditor cannot trace that number back to specific invoices, bill-of-materials line items, or utility bills. Under limited assurance, the auditor accepts a supplier declaration. Under reasonable assurance, the auditor recalculates the 2,400 tCO2e from source documents.

2. Spreadsheet-based calculations without audit-trail metadata. Your ESRS E1 disclosure includes a GHG intensity metric (tCO2e per EUR million revenue), calculated in Excel. The auditor can see the formula, but cannot verify which version of the file was used, who edited it, or whether the revenue denominator matches the financial statements. Under limited assurance, the auditor reviews the formula. Under reasonable assurance, the auditor tests the entire calculation chain, including data imports, version control, and reconciliation to audited financials.

3. Methodology documentation without reproducibility proofs. Your Scope 3 methodology document describes your allocation logic ("We allocate supplier emissions proportionally to invoice value"), but does not include worked examples or test cases. Under limited assurance, the auditor reads the document. Under reasonable assurance, the auditor re-runs the allocation logic on a sample of invoices to verify it produces the same result.

The December 2025 EFRAG draft simplified ESRS reduced mandatory datapoints from 1,100 to 430, but it did not simplify assurance requirements. The revised ESRS introduces "proportionality mechanisms" that allow companies to limit disclosure to information available "without undue cost or effort," but auditors interpret "undue cost or effort" as "what a reasonable assurance engagement would verify."^[4] If your methodology cannot be reproduced without undue cost or effort, it cannot be assured.

The cost delta between limited and reasonable assurance

The primary cost driver in reasonable assurance is substantive testing of value-chain data. For a mid-cap first-wave reporter with €500 million turnover and 1,200 employees, limited assurance covers:

• 10–15 days of audit fieldwork
• 20–30 management interviews
• 50–80 document reviews (policies, process maps, sample invoices)
• 1–2 control walkthroughs for material disclosures

Reasonable assurance for the same company covers:

• 35–50 days of audit fieldwork
• 60–90 management interviews
• 200–300 document reviews (line-item invoices, utility bills, contracts)
• 5–8 detailed control tests for every material disclosure
• Population completeness testing (e.g., proving that your Scope 3 Category 1 inventory covers 95%+ of procurement spend)
• External confirmations from key suppliers (e.g., asking supplier X to confirm the emissions data they provided)

The table below quantifies the engagement hour delta:

At a blended rate of €180–€220 per audit hour, that translates to €32,400–€39,600 for limited assurance and €113,400–€138,600 for reasonable assurance—before premium charges for specialized sustainability assurance skills (carbon accounting, lifecycle assessment, taxonomy alignment).

The Omnibus timeline and what it means for Wave 1 reporters

The December 2025 Omnibus Package kept limited assurance requirements for all waves, but postponed the Commission's obligation to adopt a limited assurance standard.^[5] The April 2025 Stop-the-Clock Directive already postponed CSRD application by two years for Wave 2 (large companies reporting in FY 2027) and Wave 3 (listed SMEs reporting in FY 2028). Wave 1 reporters—companies with 1,000+ employees and €450 million+ turnover—remain on the original timeline: FY 2024 reporting due in 2025, with limited assurance required.

However, the Omnibus Package includes a Member State exemption clause: Member States have the option to exempt Wave 1 companies from reporting in FY 2025 and FY 2026.^[6] As of January 2026, Germany, France, and the Netherlands have not implemented this exemption, which means Wave 1 reporters in those jurisdictions must assume a legal obligation to report for FY 2025 under the existing CSRD framework, using the Quick Fix reliefs adopted in early 2025.

The Quick Fix reliefs include:

• Phased-in reporting for value-chain data (companies can disclose "data not yet available" in FY 2025 if they document reasonable efforts to collect it)
• Proportionality for SME suppliers (companies are not required to ask SMEs for primary data if the request would be "disproportionate")
• Simplified materiality assessment (companies can use a qualitative materiality assessment in FY 2025, with quantitative thresholds introduced in FY 2026)

None of these reliefs change the assurance requirement. Limited assurance still applies to whatever disclosures the company makes, including qualitative materiality assessments and "data not yet available" statements. Auditors verify that the company's documentation supports its claims—which means if you claim "data not yet available," you must prove you made reasonable efforts to collect it.

How Emission3 fits: building reasonable assurance infrastructure during the limited assurance phase

Emission3 is designed for teams that need to deliver limited assurance today but know they will face reasonable assurance tomorrow. The platform's architecture is built around three assurance-level requirements:

1. Line-item evidence for every disclosure. Every ESRS E1 emissions number traces back to a source document: an invoice, a bill of materials, a utility bill, a customs declaration. The platform ingests these documents, extracts line-item data, calculates emissions per line item, and rolls them up to disclosure-level totals. When the auditor asks "how did you calculate 2,400 tCO2e for supplier X," you export an evidence pack with every invoice, every calculation, and every emission factor.

2. Reproducible calculation lineage for every method. Every emissions calculation includes metadata: which emission factor was used, which allocation logic was applied, which version of the GHG Protocol was referenced. The platform's deterministic AI layer converts invoice line items ("5,000 kg cold-rolled steel, delivered to Hamburg") into emission factor lookups ("CBAM default: 1.89 tCO2e/tonne, Scope 1+2+3") and recalculates on demand. Auditors can replay any calculation without accessing your raw data.

3. Population completeness proofs for value-chain inventories. Every Scope 3 Category 1 inventory includes a coverage metric: what percentage of procurement spend is covered by primary data, what percentage by secondary data, what percentage by estimates. The platform reconciles supplier-level emissions to ERP spend data, flags missing suppliers, and generates a completeness report that auditors accept as population-level evidence.

For a mid-cap Wave 1 reporter, this reduces reasonable assurance preparation time from 6–9 months (if starting from spreadsheets) to 4–6 weeks (if using Emission3 from the limited assurance phase). The evidence lineage built during limited assurance becomes the audit trail for reasonable assurance, with no retrofit required.

The verdict: build for reasonable assurance, deliver limited assurance

If you are a Wave 1 reporter preparing for FY 2025 limited assurance, you face a structural choice: build infrastructure that passes limited assurance but fails reasonable assurance, or build infrastructure that passes both. The cost difference is front-loaded (reasonable assurance infrastructure takes 4–6 weeks longer to build), but the risk-adjusted return is clear: when the Commission announces a reasonable assurance transition timeline—whether in 2027, 2028, or 2030—you will not need to rebuild your evidence lineage.

The December 2025 Omnibus revisions removed the reasonable assurance deadline, but they did not remove the reasonable assurance requirement. The Commission retains the delegated power to require reasonable assurance "subject to a positive assessment," and that assessment is based on whether companies and auditors are ready. If Wave 1 reporters treat limited assurance as a dress rehearsal for reasonable assurance, the Commission's feasibility assessment will return positive—and the transition will happen faster than most teams expect.

For now, the best signal that your infrastructure is reasonable-assurance-ready is whether your auditor can recalculate any disclosure from source documents without asking for clarifications. If the answer is yes, you are ready. If the answer is "we will need to supplement with management representations," you are not.

Next step: map your assurance gap before FY 2026 reporting begins

Wave 1 reporters have 8–12 months before FY 2026 limited assurance fieldwork begins (assuming Member States do not implement the exemption). That window is long enough to retrofit evidence lineage for your material disclosures, but only if you start with a structured gap assessment: which Scope 3 categories have line-item evidence, which have supplier-level aggregates, which have only estimates.

Emission3 customers start with a CBAM readiness call, but the same framework applies to CSRD assurance: we map your supplier base, identify the evidence gaps, and build an implementation plan that delivers limited assurance in FY 2026 and reasonable assurance in FY 2027–2028, with no retrofit. Book a CBAM readiness call to begin the assessment.^[7]

^{[1] [2] [3] [4] [5] [6] [7]}