The assurance-level transition problem in 2026-2028 EU CSRD reporting

Here's the issue: the Corporate Sustainability Reporting Directive (CSRD) requires limited assurance from the first year of reporting—2026 for Wave 1 companies. Under the original text, the European Commission was to assess the feasibility of transitioning to reasonable assurance by October 2028, with harmonised standards to follow. Wave 1 reporters planned capital allocation, control design, and audit budgets around a two-year runway to reasonable assurance. Then the Omnibus Package removed the transition mandate entirely. Limited assurance now applies indefinitely. For compliance officers, this looks like relief: no escalation to reasonable procedures, no additional audit hours, no second control environment build.

However, CSRD assurance consists of two things: limited procedures (testing on a sample basis, expressing negative assurance) and reasonable procedures (testing populations, expressing positive assurance). Limited procedures verify that nothing material came to the auditor's attention. Reasonable procedures verify that the numbers are fairly stated in all material respects. The difference is not just audit depth—it is the evidence standard the company must maintain.

Limited procedures on their own have no residual value. Reasonable procedures are what investors, regulators under enforcement review, and downstream supply-chain counterparties are actually asking for. A Wave 1 company that files under limited assurance in 2026 may still face reasonable assurance demands from counterparties under California Senate Bill 253, from lenders under taxonomic disclosure requirements, or from auditors conducting ISAE 3410 to ISSA 5000 transitions on Scope 3 Category 1 data. If the company's control environment supports only limited procedures—sampling logs, incomplete lineage, no population-level evidence—then the cost of upgrading to reasonable procedures in response to a counterparty request may exceed the savings from avoiding the mandated transition.

While the Omnibus reduced the direct compliance burden by removing the reasonable assurance mandate, it increased the hidden cost of evidence-level misalignment. If a Wave 1 reporter maintains only the minimum controls for limited assurance, and a key counterparty requires reasonable assurance over Scope 3 Category 1 embedded emissions (as many US and UK financial institutions now do), the incremental cost of a second control build—new IT general controls, revised sampling frames, full lineage documentation—might add 60-90 audit hours and €45,000-€75,000 per engagement, per the typical Big Four hourly rates for sustainability assurance.

How do you solve this? I think the operators who come out ahead are those who treat limited assurance as a floor, not a ceiling. For now, that means designing controls to reasonable-assurance specifications even when only limited assurance is mandated: population-level evidence, deterministic calculation lineage, reproducible outputs. The incremental cost of reasonable-ready controls in 2026 is lower than the cost of retrofitting them in 2027 when a counterparty or regulator requests them.

The shape of the argument, visualised below.

The Omnibus changes and what they mean for assurance

The Omnibus Package, adopted in late 2025 and published in the Official Journal in early 2026, made three structural changes to CSRD assurance requirements^[1]:

The Omnibus text states: "to avoid increased costs for reporting entities, the approved Omnibus revisions remove the requirement to adopt reasonable assurance standards."^[2] This language frames the change as cost relief. But it creates a hidden cost for companies whose counterparties or regulators still require reasonable assurance.

The two-tier assurance market that emerges

Under limited assurance, the auditor performs inquiry and analytical procedures, but does not test the full population of transactions. The opinion reads: "Nothing has come to our attention that causes us to believe that the sustainability statement is not prepared, in all material respects, in accordance with ESRS." Under reasonable assurance, the auditor tests controls, performs substantive procedures on populations, and issues a positive opinion: "In our opinion, the sustainability statement is prepared, in all material respects, in accordance with ESRS."

The evidence standard for reasonable assurance is higher in four dimensions:

1. Population coverage: reasonable assurance requires testing of the full population of high-risk items, not a sample.
2. Control testing: reasonable assurance requires evaluation of IT general controls (ITGCs), change management, and access controls.
3. Substantive procedures: reasonable assurance requires direct confirmation of third-party data (utility bills, supplier invoices, customs records).
4. Calculation lineage: reasonable assurance requires reproducible, deterministic calculations with full lineage from source document to disclosure.

For a Wave 1 company with 2,000 tier-1 suppliers and Scope 3 Category 1 emissions of 150,000 tonnes CO₂e, the difference in audit scope is:

• Limited assurance: sample 50-100 suppliers (5% of population), review aggregated totals, perform plausibility checks.
• Reasonable assurance: test ITGCs over procurement system, confirm primary data for top 200 suppliers (80% of emissions by spend), document calculation lineage for all 2,000 suppliers.

The incremental audit hours for reasonable assurance range from 60-120 hours, depending on the maturity of the company's controls^[3].

The counterparty assurance problem

The Omnibus removed the EU mandate for reasonable assurance, but it did not remove counterparty demands. Three categories of counterparty now require reasonable assurance over sustainability data, independent of CSRD:

1. US firms under SB 253: California's Senate Bill 253 requires Scope 1, 2, and 3 disclosures for companies with $1B+ California revenue. While the California Air Resources Board (CARB) waived assurance for 2026, the statute contemplates limited assurance in 2027 and reasonable assurance thereafter. For a US parent with EU subsidiaries, the EU data feeds the California filing. If the EU data is assured only to limited level, the US parent must either accept limited assurance for the full California filing or conduct a separate reasonable assurance engagement over the EU subset.

2. UK financial institutions under ISSB IFRS S2: UK-listed financial institutions adopting IFRS S2 in 2026 must disclose financed emissions (Scope 3 Category 15). Many are requesting reasonable assurance over borrowers' Scope 1 and 2 emissions to support financed emissions calculations. For an EU corporate borrower, this means the lender requires reasonable assurance over the same data the borrower reports under CSRD at limited assurance level.

3. Supply-chain counterparties under ISAE 3410 to ISSA 5000 transitions: auditors transitioning from ISAE 3410 (GHG assurance) to ISSA 5000 (sustainability assurance) must demonstrate population completeness and control effectiveness. For a Scope 3 Category 1 reporter, this means the auditor requires reasonable assurance over tier-1 supplier data, even if the company's own CSRD filing is limited-assured.

A compliance officer at a Wave 1 industrial company told me: "We budgeted for limited assurance in 2026, reasonable in 2028. The Omnibus saved us the 2028 upgrade. Then our largest US customer asked for reasonable assurance over our Scope 1 and 2 data to support their SB 253 filing. We had to scope a new engagement—same data, different assurance level, different price."

The control-design trade-off

The decision tree for a Wave 1 company in Q1 2026 is:

1. Design controls to limited assurance specifications: lower upfront cost, but risk of retrofit if counterparty demands reasonable assurance.
2. Design controls to reasonable assurance specifications: higher upfront cost, but no retrofit risk.

The incremental cost of reasonable-ready controls in 2026 is approximately 20-30% higher than limited-ready controls, based on audit planning discussions with Big Four firms. For a mid-sized industrial company with 500 suppliers and €500M revenue, the delta is:

• Limited-ready controls: €80,000-€120,000 in audit fees, 40-60 audit hours.
• Reasonable-ready controls: €120,000-€180,000 in audit fees, 60-90 audit hours.

The incremental cost is €40,000-€60,000. If the company later faces a counterparty request for reasonable assurance, the cost of retrofitting controls is:

• Control redesign: 30-40 hours of internal effort (IT, procurement, finance).
• Audit re-scoping: 20-30 additional audit hours.
• Population evidence build: 10-15 hours per 100 suppliers for lineage documentation.

For a 500-supplier company, the retrofit cost is approximately €50,000-€80,000, exceeding the upfront delta.

"The Omnibus changes maintain a requirement for the European Commission to adopt limited assurance standards. Although this is not a new requirement, the deadline for the adoption of limited assurance standards by the European Commission has been postponed to July 1, 2027."^[4]

This postponement creates a second timing problem: Wave 1 companies file 2026 reports in H1 2027, but harmonised limited assurance standards may not be available until July 2027. Member states apply their own interim frameworks, creating variation in what "limited assurance" means across jurisdictions.

The evidence lineage gap

The core technical problem is evidence lineage. Under limited assurance, the auditor reviews aggregated totals and performs plausibility checks. Under reasonable assurance, the auditor traces each number back to a source document: invoice, utility bill, customs record, supplier declaration. For Scope 3 Category 1 embedded emissions, this means:

• Invoice-level quantities: tonnes of steel, cubic metres of concrete, kilowatt-hours of electricity.
• Emission factors: kgCO₂e per tonne, per cubic metre, per kWh, with source references (Ecoinvent, EPA, supplier-specific).
• Calculation lineage: reproducible formula linking quantity × emission factor → line-item emissions → aggregated total.

A Wave 1 company that designs controls only for limited assurance may maintain:

• Aggregated totals by supplier (no invoice-level detail).
• Generic emission factors (no source references).
• Spreadsheet calculations (no deterministic lineage).

If a counterparty later requests reasonable assurance, the company must retroactively build the evidence lineage. For a 500-supplier base, this means:

• Retrieving 6,000-12,000 invoices (assuming 12-24 invoices per supplier per year).
• Matching each invoice to a BoM or utility bill.
• Documenting the emission factor source for each line item.
• Rebuilding the calculation in a reproducible tool (not Excel).

The labour cost for this retrofit is approximately 1-2 hours per 10 invoices, or 600-2,400 hours total. At €80-€120 per hour for procurement analyst time, the cost is €48,000-€288,000.

How Emission3 fits

Emission3 is built to solve the evidence lineage problem at reasonable-ready specifications, even when only limited assurance is mandated. The workflow is:

1. Document ingestion: upload invoices, BoMs, utility bills, customs records. The deterministic LLM layer extracts quantities, dates, supplier identifiers.
2. Emission factor matching: the system matches each line item to a source-referenced emission factor (Ecoinvent, EPA, supplier-specific PCF), with fallback logic documented.
3. Calculation lineage: every number is reproducible. The system generates a full lineage artifact: invoice → line item → emission factor → line-item emissions → aggregated total.
4. Assurance export: the system produces an evidence pack for the auditor: population coverage, calculation lineage, source document index, control description.

For a Wave 1 company filing under limited assurance in 2026, the incremental cost of reasonable-ready lineage is approximately 10-15% higher than limited-ready aggregation. The delta is the cost of document ingestion and lineage generation. But if a counterparty requests reasonable assurance in 2027, the lineage is already built—no retrofit required.

We work with a mid-sized cement producer that filed its first CSRD report in 2025. The company designed controls to limited assurance specifications, using Excel aggregations of supplier data. In Q3 2025, a UK lender requested reasonable assurance over Scope 1 and 2 emissions to support financed emissions calculations. The company had to retrofit the lineage: retrieve 800 invoices, match to utility bills, document emission factors. The cost was €60,000 and 40 days of procurement team time. The company told us: "If we'd known in 2024 that reasonable assurance was coming from a counterparty, we would have designed for it from the start."

The 2026-2028 planning question

For a Wave 1 company filing in 2026, the planning question is: what assurance level will my counterparties require in 2027-2028? The answer depends on:

• US revenue exposure: if the company has $1B+ California revenue, SB 253 assurance escalates to reasonable in 2029 (after the current waiver expires).
• UK lender relationships: if the company borrows from UK-listed banks adopting IFRS S2, those banks may require reasonable assurance over borrower emissions.
• Supply-chain position: if the company is a tier-1 supplier to US or UK firms under assurance mandates, those firms may flow down reasonable assurance requirements.

If any of these apply, the company should design controls to reasonable assurance specifications in 2026, even though only limited assurance is mandated under CSRD.

Closing thought: the assurance-ready baseline

The Omnibus removed the CSRD mandate for reasonable assurance, but it did not remove the economic demand. Investors, lenders, and supply-chain counterparties are converging on reasonable assurance as the baseline for decision-useful data. A Wave 1 company that treats limited assurance as a ceiling, not a floor, may face retrofit costs in 2027-2028 that exceed the upfront cost of reasonable-ready controls.

If you are a compliance officer at a Wave 1 company, the question to ask in Q1 2026 is: which of our counterparties will require reasonable assurance in 2027, independent of CSRD? If the answer is "any of them," design controls to reasonable specifications now.

Book a CBAM readiness call to map your assurance requirements, counterparty demands, and evidence lineage gaps. All Emission3 customers start with a readiness call—we map your suppliers, identify assurance risks, and scope an implementation that matches your counterparty demands, not just the regulatory minimum^[5].