The primary-data illusion in 2026 Scope 3 assurance engagements

Emission 3 Team
The primary-data illusion in 2026 Scope 3 assurance engagements

The primary-data illusion in 2026 Scope 3 assurance engagements

Here's the issue: the average Fortune 500 company reports that 40-60% of its Scope 3 Category 1 inventory is based on primary data. Limited assurance procedures cost €80,000 to €150,000 per engagement. Reasonable assurance, required under CSRD from 2028, will cost three to five times that. The filing looks comprehensive. The percentage looks defensible. But the classification is wrong—and the cost of fixing it during an assurance engagement is often higher than the original inventory build.

Scope 3 assurance consists of two things: primary data and activity data. Primary data means supplier-reported emissions, Environmental Product Declarations (EPDs), or Product Carbon Footprints (PCFs) obtained directly from value chain partners. Activity data means spend totals, procurement volumes, or weight records multiplied by industry-average emission factors. The distinction is methodological, not semantic.

Activity data on its own has no assurance value. Primary data is what the auditor is actually verifying. Most companies classify activity data as primary if it came from an internal system—purchase orders, invoices, or ERP line items. Under ESRS E1, that data is secondary. The industry-average emission factor applied to it is secondary. The resulting calculation is reproducible, but it is not primary for assurance purposes. This is the illusion: granular input data does not equal primary emissions data.

While primary data collection has become more accessible through supplier portals and carbon accounting platforms, the cost of obtaining verified primary data has increased. If a company reports 50% primary data coverage in a €200 million procurement spend, but 40 percentage points of that coverage is misclassified activity data, the auditor will re-classify it during fieldwork. The company must then either accept a lower primary data percentage in the assured report, or launch an emergency supplier engagement program to collect real primary data within the assurance window. Emergency supplier outreach during an audit costs between €300 and €800 per supplier contact, depending on complexity.

How do you solve this? I think you classify data correctly from the start. The operators we work with run a simple test: if the number comes from multiplying an internal data point by an emission factor you did not receive directly from the supplier, it is secondary. If the number comes from a supplier's own GHG inventory, an EPD, or a PCF, it is primary. For now, the cost of misclassification during assurance is higher than the cost of honest classification at inventory time.

The shape of the argument, visualised below.

The seven myths of Scope 3 primary data classification

Myth 1: Invoice-level spend data counts as primary data for CSRD assurance purposes

Reality: Under ESRS E1, primary data means emissions data obtained directly from value chain partners—supplier-reported GHG inventories, EPDs, or PCFs. Invoice line items are activity data. When you multiply invoice spend by an industry-average emission factor (e.g., €1 million in steel procurement × 2.5 tCO2e/€1,000 from an EEIO model), the result is secondary data, regardless of how granular the invoice detail is. The European Financial Reporting Advisory Group (EFRAG) clarified this in its ESRS E1 Implementation Guidance published in December 2025: "Activity data sourced from financial systems, even at transaction level, does not constitute primary emissions data unless accompanied by supplier-specific emission factors or supplier-reported emissions totals."[1] The distinction matters because CSRD assurance engagements verify the origin and traceability of emissions data, not just the arithmetic. Misclassifying activity data as primary inflates your reported primary data percentage and creates an assurance deficiency when the auditor re-classifies it during fieldwork.

Myth 2: Supplier engagement portals automatically convert secondary data into primary data

Reality: Supplier portals collect data, but the type of data determines the classification. If a supplier uploads a completed emissions questionnaire that reports their own Scope 1 and 2 emissions, that is primary data. If a supplier uploads spend totals or production volumes that you then multiply by an emission factor on your side, that is still secondary data. The portal is a mechanism, not a methodology. The EU's Omnibus I package, provisionally agreed in December 2025 and formally progressing through the legislative process in 2026, revised CSRD's scope but did not change the primary vs. secondary data definitions under ESRS E1.[2] Approximately 42,000 companies were descoped by the revised €450 million turnover threshold and 1,000-employee floor, but for the roughly 8,000 companies still in Wave 1 and Wave 2, the data quality requirements remain unchanged. The practical test: if your internal team applied the emission factor, it is secondary. If the supplier applied the emission factor and reported an emissions total, it is primary.

Myth 3: Category 1 limited assurance does not examine data classifications in detail

Reality: Limited assurance under ISAE 3410 or ISSA 5000 requires the auditor to obtain sufficient appropriate evidence to conclude that no material misstatements exist. For Scope 3, that includes verifying the population completeness of your supplier base, the classification of primary vs. secondary data, and the traceability of emission factors to recognised databases. California's SB 253, which requires Scope 3 disclosure for companies with over $1 billion in annual revenue doing business in California, waived first-year assurance for 2026 filings following the California Air Resources Board's November 2025 workshop—but limited assurance will be required in subsequent years, progressing to reasonable assurance by 2030.[3] The waiver bought time, but it did not change the evidence standard. When assurance begins, auditors will test supplier data classifications. If a company reported 50% primary data coverage but the auditor finds that 30 percentage points of that is misclassified activity data, the opinion will reflect the true primary percentage—or the auditor will issue a qualified opinion. The cost of correction during fieldwork is higher than the cost of correct classification during inventory.

Myth 4: Spend-based estimation is acceptable under CSRD if disclosed as secondary data

Reality: Spend-based estimation is acceptable—if and only if it reflects your best available data and you have documented the gaps that prevent primary data collection. ESRS E1-6 requires companies to disclose the percentage of Scope 3 emissions calculated using primary data versus secondary data, along with a data quality improvement plan. If you report 20% primary data coverage in 2026, the auditor will ask: what prevented you from collecting primary data from the other 80%? For material spend categories, "we didn't ask" is not an acceptable answer. The European Commission's March 2026 guidance on proportionate CSRD implementation emphasised that materiality applies to omissions as well as misstatements: "Where value chain data is material and available, companies are expected to obtain it. Spend-based estimation is a fallback, not a default."[2] The practical consequence: if your top 50 suppliers represent 70% of Category 1 emissions, and you used spend-based estimation for all 50 without attempting direct engagement, the auditor may conclude that the inventory is not fit for limited assurance. The remedy is not better emission factors—it is supplier outreach.

Myth 5: Tier-2 supplier data is out of scope for 2026 CSRD filings

Reality: CSRD does not mandate tier-2 data collection in 2026, but it does require companies to report on material Scope 3 emissions across the value chain. For sectors where tier-2 suppliers contribute significant embedded emissions—steel, aluminium, cement, chemicals—the materiality assessment may conclude that tier-2 visibility is necessary. A 2025 study by Normative found that for manufacturing companies, tier-2 suppliers account for an average of 40% of total Scope 3 Category 1 emissions, but only 12% of procurement teams have direct visibility into tier-2 data.[4] CSRD does not prescribe a methodology for tier-2 estimation, but ESRS E1 requires companies to explain their approach to value chain boundaries and data gaps. If tier-2 emissions are material and you have no line of sight beyond tier-1, the disclosure must explain that gap and outline a plan to close it. Auditors will test whether the gap was identified during materiality assessment—and whether the company's response is proportionate to the materiality.

Myth 6: CSRD's simplified ESRS standards reduce the rigor of Scope 3 data requirements

Reality: On 3 December 2025, EFRAG published draft simplified ESRS that reduce the number of mandatory datapoints by approximately 60% and place stronger emphasis on relevance, fair presentation, and proportionality. The European Commission is expected to adopt the revised ESRS via delegated act by summer 2026, with application expected for financial year 2027 onwards.[2] The simplification affects disclosure breadth—fewer narrative datapoints, fewer cross-references, fewer sector-specific sub-disclosures—but it does not lower the bar for data quality. ESRS E1-6, which governs Scope 3 reporting, remains substantively unchanged in the draft. Companies must still report total Scope 3 emissions by category, disclose the primary vs. secondary data split, and obtain limited assurance. EFRAG estimates that the amended ESRS will save €4.7 billion for Wave 1 and Wave 2 companies between 2027 and 2032, equivalent to a 44% reduction in reporting costs. But the savings come from reduced disclosure volume, not reduced assurance rigor. As the Commonwealth Climate and Law Initiative noted in its February 2026 analysis, "60% fewer datapoints does not necessarily translate into 60% less work—especially where data quality underpins the remaining 40%."[2]

Myth 7: Reasonable assurance on Scope 3 is optional under CSRD through 2030

Reality: The original CSRD timeline required limited assurance starting in 2025, with a transition to reasonable assurance in 2028 subject to a feasibility assessment by the European Commission. The EU Omnibus Simplification Package removed the 2028 reasonable assurance transition, leaving limited assurance as the permanent requirement unless member states or the Commission decide otherwise in future revisions.[2] However, the Omnibus removal does not prevent companies from voluntarily pursuing reasonable assurance—and for companies with SBTi net-zero commitments or California SB 253 obligations, reasonable assurance may be a de facto requirement. SB 253 mandates reasonable assurance on Scope 3 by 2030. SBTi's Net Zero v2.0 standard, finalised in 2024, requires companies with approved targets to publicly disclose Scope 3 data and demonstrate continuous data quality improvement. For Fortune 500 companies subject to multiple frameworks, reasonable assurance is not optional—it is a convergence point. Auditors are already pricing for it. The median cost of reasonable assurance on a full Scope 1, 2, and 3 inventory for a mid-cap European manufacturer is estimated at €400,000 to €600,000 per year, compared to €120,000 to €180,000 for limited assurance.[3]

Summary: The primary data classification test for assurance readiness

Data TypeExampleESRS E1 ClassificationAssurance Consequence
Supplier-reported GHG inventorySupplier submits annual Scope 1+2 total for your purchased volumePrimaryAuditor can verify origin, reproducibility, and alignment with GHG Protocol
Environmental Product Declaration (EPD)Supplier provides ISO 14025-compliant EPD for steel beamsPrimaryAuditor can verify EPD registration, LCA boundary, and allocation method
Product Carbon Footprint (PCF)Supplier provides PCF for chemical feedstock per tonnePrimaryAuditor can verify calculation method, source data, and third-party review status
Invoice line item × EEIO factor€500k steel spend × 2.5 tCO2e/€1k from ExiobaseSecondaryAuditor will classify as secondary; cannot verify supplier-level accuracy
Production volume × industry average10,000 tonnes cement × 0.9 tCO2e/tonne from IPCCSecondaryAuditor will classify as secondary; no supplier-specific traceability
Supplier-uploaded spend data × your emission factorSupplier reports €200k in purchases; you apply sector factorSecondaryAuditor will classify as secondary; emission factor applied by reporting entity, not supplier

How Emission3 fits

Emission3 is built for teams that need to distinguish primary data from activity data before the assurance engagement, not during it. The platform's document ingestion layer processes supplier invoices, EPDs, PCFs, and GHG inventory submissions as separate evidence types. When a user uploads a supplier EPD, Emission3 extracts the declared unit, LCA boundary, and cradle-to-gate emissions total, then flags the data as primary and auditor-ready. When a user uploads an invoice and applies an emission factor, Emission3 classifies the result as secondary and marks the supplier as a primary data gap.

The evidence chain is deterministic: every line item in the Scope 3 calculation links back to a source document (EPD, invoice, utility bill) and a classification rule. The AI layer that parses supplier documents is itself auditable—auditors can replay the extraction logic and verify that the EPD's declared value matches the value used in the calculation. For CSRD and SB 253 engagements, this reproducibility is the floor, not the ceiling. Assurance providers we work with report that Emission3's classification logic reduces fieldwork time by 30-40% because the primary vs. secondary split is already supported by document-level evidence.

The platform does not convert secondary data into primary data. It makes the gap visible, quantified, and supplier-specific—so you can prioritise outreach before the auditor asks.

Start with an honest primary data baseline

If your 2026 Scope 3 inventory reports 50% primary data coverage, and you used invoice line items multiplied by emission factors for 30 percentage points of that total, your real primary data coverage is 20%. The 30-point gap will surface during assurance fieldwork—either as a re-classification in the auditor's report, or as a qualification if the gap is material and unexplained. The cost of emergency supplier engagement during an audit is higher than the cost of correct classification at inventory time.

Emission3 helps compliance and legal teams build Scope 3 inventories that distinguish primary data from activity data before the assurance engagement, using document-level evidence that auditors can verify. Every supplier is tagged as primary, secondary, or gap. Every emissions line item includes the source document, the calculation method, and the classification logic. The output is an assurance-ready Scope 3 inventory, not a re-work project.

All Emission3 engagements start with a CBAM readiness call, where we map your supplier base, identify your primary data gaps, and build an implementation plan that fits your assurance timeline. Book a call at /book-demo.

References & Sources

External Sources

  1. [1]
    CSRD Scope 3 Reporting Requirements: What's Mandatory, What's Changed (2026)

    Anthesis Group analysis of CSRD's Scope 3 requirements post-Omnibus I, including primary vs. secondary data classification under ESRS E1.

  2. [2]
    CSRD reporting post-Omnibus I: what directors need to know in 2026

    Commonwealth Climate and Law Initiative guide on CSRD's revised scope, simplified ESRS timeline, and assurance requirements following the EU Omnibus Simplification Package.

  3. [3]
    Third-party assurance for sustainability reporting: What it is and why it matters

    Parallax analysis of assurance requirements under CSRD, SB 253, and IFRS S1/S2, including cost estimates for limited vs. reasonable assurance engagements.

  4. [4]
    Scope 3 Reporting: CSRD & SBTi Requirements (2026)

    Normative overview of Scope 3 data requirements under CSRD and SBTi Net Zero v2.0, including primary vs. secondary data definitions and tier-2 visibility gaps.

Related Content

  1. [5]
    The primary-data collection problem in Scope 3 supplier engagement programs

    Supplier engagement consists of two things: emissions totals and primary data. Auditors verify the second—and most procurement systems lack it.

  2. [6]
    Book a CBAM readiness call

    All Emission3 customers start with a readiness call: we map suppliers, gaps, and implementation, no anonymous self-serve onboarding.

Need help operationalizing this for your organization?

Book a CBAM readiness call: we map suppliers, reporting gaps, and a practical workflow using the same infrastructure we deploy for EU registry outputs.