CSRD Compliance 2026: What Auditors Need to Know

What Omnibus I actually changed for auditors

The Omnibus I Directive (EU) 2026/470 was published in the Official Journal on 26 February 2026 and enters into force on 18 March 2026. Member states must transpose its CSRD and Audit Directive amendments by 19 March 2027. The scope change is significant.

Under the original CSRD, Wave 2 would have pulled in all large EU undertakings meeting two of the following: 250+ employees, €50M+ turnover, or €25M+ total assets. Reporting for these entities was scheduled for 2026 (covering FY 2025). Omnibus I replaces that threshold entirely. EU undertakings are now only in scope if they exceed both 1,000 employees and €450 million in net turnover, at individual or consolidated group level. Listed SMEs are removed from mandatory reporting altogether, though they may voluntarily report using the forthcoming Voluntary SME standard (VSME), which the European Commission is expected to publish by June 2026.

For third-country undertakings, the revised thresholds require the parent company to have net turnover above €450 million within the EU, with the subsidiary or branch generating above €200 million. The previous requirement to move from limited to reasonable assurance by 2028 has also been deleted. Limited assurance remains the ceiling for the foreseeable future.

What does this mean for audit firms outside the Big 4? The pool of companies requiring CSRD assurance just shrank by a substantial margin. The AFM estimated that Omnibus I would reduce the number of Dutch listed companies in its supervisory scope from approximately 160 to just over 100. For non-PIE firms, the pipeline of potential CSRD assurance engagements is smaller than anyone projected two years ago. But it isn’t zero. From the 2027 reporting year onward, large companies with more than 1,000 employees and turnover exceeding €450 million will report, and those assurance engagements may be performed not only by PIE firms but by any firm with a regular audit licence.

The strategic question for non-PIE firms is whether to invest in building CSRD assurance capability now or wait. The AFM’s February 2026 report suggests starting early is the better option, given that the learning curve is steep and the first non-PIE engagements will begin for FY 2027 reports (published in 2028).

Who still reports and when

The phasing after Omnibus I looks different from what most firms planned for. The Stop-the-Clock Directive (entered into force April 2025) already delayed Wave 2 by two years. Omnibus I then reduced the scope within that delayed timeline.

Wave 1 (large PIEs already reporting under NFRD) first reported in 2025 on FY 2024 data. These entities continue reporting under CSRD, though member states now have the option to exempt Wave 1 companies that fall below the revised thresholds (1,000 employees and €450 million turnover) from reporting for FY 2025 and FY 2026. Whether the Netherlands exercises this exemption depends on the final transposition, which is still in progress. The Dutch CSRD implementation bill was submitted to the House of Representatives in January 2025, and the legislative process continues. In practice, the AFM has noted that almost all large listed Dutch companies voluntarily prepared their 2024 sustainability reports in line with ESRS, despite the CSRD not yet being formally transposed into Dutch law.

Wave 2 (large companies meeting the revised thresholds) will first report in 2028 on FY 2027 data. This is the wave most relevant to non-PIE audit firms, because these engagements won’t be limited to PIE-licensed firms.

Listed SMEs that choose to voluntarily report using the VSME standard may begin for FY 2027 or later. Non-EU parent companies with qualifying EU subsidiaries or branches report from 2029 onward on FY 2028 data, under the revised third-country thresholds.

The European Commission must adopt revised and simplified ESRS within six months of Omnibus I’s entry into force (by 18 September 2026). EFRAG published draft revisions in July 2025, reducing mandatory datapoints by approximately 61% (from roughly 1,100 to approximately 430) and eliminating voluntary disclosures. Those simplified standards will apply from FY 2027 reporting. The harmonised EU limited assurance standard is now due by 1 July 2027 (extended from the original October 2026 deadline). This delay reflects the legislative reality that the Omnibus I process consumed political bandwidth that might otherwise have gone to finalising the assurance framework.

Until those EU-level standards are adopted, member states may apply national pronouncements, and the CEAOB’s September 2024 guidelines provide interim expectations for limited assurance practice. ISSA 5000, issued by the IAASB, is the most widely referenced international standard for sustainability assurance in the interim period.

What limited assurance over ESRS means in practice

If you’ve only done financial statement audits, CSRD assurance feels different in ways that aren’t obvious from reading the standard. Limited assurance is a lower threshold than reasonable assurance. The practitioner expresses a conclusion in negative form: “nothing has come to our attention” rather than “in our opinion.” But that framing understates the work involved.

The CEAOB’s September 2024 guidelines specify that the practitioner must understand the entity’s sustainability reporting processes, perform analytical and inquiry procedures, and evaluate whether the sustainability statement complies with ESRS. The practitioner must also assess compliance with the Article 8 disclosures under the EU Taxonomy Regulation. The assurance report must be written and signed, dated by the responsible practitioner, and understandable to the intended users.

The AFM’s February 2026 report identifies four ways CSRD assurance differs from financial audit. First, sustainability reporting lacks a double-entry accounting backbone. You’re dealing with non-monetary metrics, value chain information, long-term targets, and qualitative judgments. Second, estimates are more frequent and often depend on external data sources that the entity doesn’t control. Third, the double materiality assessment is itself a significant judgment the entity makes, and the practitioner must evaluate whether the process and outcome are reasonable. Fourth, stakeholders extend beyond investors to include employees, workers in the value chain, local communities, and environmental interests.

For non-Big 4 firms, the practical implication is that you can’t simply copy your financial audit methodology and relabel it. The AFM was explicit on this point: CSRD assurance “requires different expertise” and a “different mindset.”

How ISSA 5000 fills the interim gap

Until the EU adopts harmonised limited assurance standards (now due by 1 July 2027), practitioners need a framework. ISSA 5000, issued by the IAASB in January 2025, is the most referenced international standard for sustainability assurance outside of any jurisdiction-specific requirements. It’s a principles-based standard, designed to accommodate the range of entities and sustainability topics that fall under CSRD reporting.

ISSA 5000 follows a familiar structure for auditors. It covers engagement acceptance, planning, risk assessment, evidence gathering, and reporting. But the content within each phase reflects the realities of sustainability information. Risk assessment under ISSA 5000 requires the practitioner to consider not just misstatement risk but also the entity’s processes for collecting non-financial data, the reliability of value chain information, and the entity’s governance over sustainability reporting. Evidence gathering includes testing quantitative data (emissions calculations, workforce metrics) alongside evaluating qualitative disclosures (policy descriptions, target-setting rationale).

For a non-PIE firm approaching CSRD assurance for the first time, ISSA 5000 provides the engagement structure. The CEAOB guidelines provide the EU-specific overlay. And the AFM’s four-pillar framework provides the quality expectations. Reading all three is non-negotiable before accepting an engagement.

What assurance materiality looks like for sustainability data

One area where financial auditors consistently struggle in their first CSRD engagement is assurance materiality. In a financial audit, materiality is expressed in euros and benchmarked against profit before tax, total assets, or revenue. In CSRD assurance, there’s no single metric.

Quantitative disclosures have their own measurement units. GHG emissions are measured in tonnes of CO2 equivalent. Workforce metrics use headcount or hours. Water consumption uses cubic metres. Each material topic may require its own materiality threshold expressed in its own unit. A 5% threshold on Scope 1 emissions doesn’t automatically apply to workforce injury rates.

Qualitative disclosures add another layer of complexity. How do you determine whether a description of the entity’s climate transition plan is “materially misstated”? The answer lies in ESRS 1’s requirement for faithful representation and relevance. A qualitative disclosure is misstated if it omits information that would influence the decisions of intended users, or if it presents information in a way that creates a misleading impression. This is a judgment call, and documenting the basis for that judgment is critical.

For first-time engagements, a pragmatic approach is to set quantitative thresholds for each material topic (benchmarked against sector peers or regulatory benchmarks where available) and to apply a “reasonable user” test for qualitative disclosures. Document both, and revisit them at the conclusion of the engagement.

The AFM’s four pillars for CSRD assurance quality

The AFM’s February 2026 exploratory review of PIE audit firms produced four pillars for CSRD assurance quality. These aren’t mandatory regulations, but they represent what the Dutch regulator considers a sound approach, and they’ll almost certainly inform how the AFM evaluates non-PIE firms when Wave 2 engagements begin.

First is a quality control system specifically designed for CSRD assurance. This means your firm’s ISQM 1 system needs to address sustainability assurance as a distinct engagement type with its own risk assessment, resource allocation, and monitoring. You can’t subsume it under your existing financial audit quality system without modification.

Second is a competent assurance team with effective project management. The AFM observed that assurance teams and financial audit teams often collaborated during the first reporting cycle, and considered this positive. But “collaboration” doesn’t mean “delegation.” Your sustainability assurance engagement needs team members who understand ESRS, the double materiality concept, GHG emissions calculations, and value chain reporting. If your firm doesn’t have that expertise internally, the AFM’s guidance implies you should either develop it or decide not to offer CSRD assurance.

Understanding the client and its processes is the third pillar, and it’s the one most directly relevant to engagement planning. The double materiality assessment is the starting point for every CSRD report. If the entity’s DMA process is weak, the entire sustainability statement is compromised. You need to understand how the entity identified its impacts, risks, and opportunities (IROs), how it set materiality thresholds, which stakeholders it consulted, and how it determined which ESRS topical standards apply.

Tailoring procedures to assessed assurance risks and assurance materiality is the fourth pillar. Assurance materiality for sustainability information is different from financial statement materiality. Some disclosures are qualitative. Some are quantitative but measured in non-financial units (tonnes of CO2e, headcount, injury rates). You need to determine what constitutes a material misstatement in this context and design procedures that address the specific risks identified.

Worked example: scoping a first CSRD assurance engagement

The following walkthrough shows how a non-PIE firm would approach a Wave 2 CSRD assurance engagement from acceptance through procedure design. Each step includes the documentation note that should appear in the working paper.

Client scenario: Veldman Machinebouw B.V., a Dutch industrial manufacturer with 1,400 employees and €520 million in annual revenue. The company falls within the revised CSRD scope. It produces its first sustainability statement for FY 2027, to be included in the 2028 management report. Your firm has been the statutory auditor for eight years.

1. Confirm scope applicability

Veldman exceeds both thresholds (1,000 employees and €450 million turnover). It’s an EU-based large undertaking under the revised CSRD. Reporting obligation begins FY 2027.

2. Evaluate the double materiality assessment

Veldman’s internal sustainability team ran a DMA identifying climate change (ESRS E1), own workforce (ESRS S1), and pollution (ESRS E2) as material topics. They assessed 14 IROs across these topics, using severity and likelihood scoring with defined thresholds. Four other ESRS topics were assessed as not material, with documented rationale.

3. Assess the reporting entity’s processes and controls

Veldman collects Scope 1 and 2 emissions data through its ERP system. Scope 3 data relies on supplier questionnaires and industry averages. Workforce data comes from HR systems. The entity has no formal internal controls over sustainability data comparable to its financial reporting controls.

4. Determine assurance materiality

For quantitative disclosures, Veldman’s assurance team sets materiality at 5% of total Scope 1+2 emissions (benchmarked against sector peers) and 5% of total workforce for social metrics. Qualitative disclosures (policies, targets, governance descriptions) are assessed on a “could reasonably be expected to influence decisions” basis.

5. Design and execute procedures

For GHG emissions: recalculate Scope 1 from source data, verify Scope 2 against utility invoices, test Scope 3 supplier data on a sample basis. For workforce metrics: test headcount against payroll, verify injury rate calculations. For the DMA: evaluate the methodology, test a sample of IRO assessments against supporting evidence, and assess whether the materiality thresholds were applied consistently.

What the engagement economics look like for non-PIE firms

Before committing to CSRD assurance, run the numbers. A first-year limited assurance engagement for a client like Veldman will take significantly more hours than you might expect. Based on the PIE firm experience in the 2025 reporting cycle, the AFM observed that sustainability assurance required dedicated team allocation and couldn’t be bolted onto the financial audit as an incremental add-on.

For a manufacturing client with four or five material ESRS topics, expect 200–400 hours for a first-year engagement. That includes DMA evaluation (40–60 hours), understanding processes and controls for each material topic (60–100 hours), executing assurance procedures (80–150 hours), and review and reporting (30–50 hours). Second-year engagements will be more efficient as the entity’s processes mature and the team builds familiarity, but the first year is intensive.

Fee recovery depends on the market. CSRD assurance is a new service with limited price benchmarks. PIE firms set rates during the first cycle, and non-PIE firms entering for Wave 2 will face pressure to compete on price while absorbing a steep learning curve. The firms that invested early in training and methodology will have an advantage. Those starting from scratch in 2027 will be doing their learning on the client’s time.

The minimum viable investment for a non-PIE firm to credibly offer CSRD assurance includes training two to four team members on ESRS and ISSA 5000 (approximately 40–60 hours per person), developing or acquiring a sustainability assurance methodology template, updating the ISQM 1 system, and running at least one pilot engagement. For a firm with 20–50 professionals, that’s a meaningful commitment. The question is whether the revenue from Wave 2 engagements will justify it. For firms with several clients above the revised thresholds, the answer is likely yes. For firms with one or two, it may not be.

What to do before your first engagement

1. Decide whether your firm will offer CSRD assurance at all. If you have fewer than five clients likely to fall within scope, the investment in training and methodology development, plus the quality system upgrades, may not be justified. That’s a legitimate business decision.
2. If you proceed, update your ISQM 1 system to include CSRD assurance as a distinct engagement type. Document the additional risks, the resource and competence requirements, and the monitoring procedures. The AFM expects this, and ISQM 1 paragraph 16(a) requires it for new service lines.
3. Build or acquire ESRS expertise within your team. At minimum, one engagement team member needs working knowledge of ESRS 1 (general requirements), ESRS 2 (general disclosures), and whichever topical standards (E1 through S4, G1) are most common among your client base. The simplified ESRS expected by September 2026 will reduce the datapoint count, but the conceptual framework remains unchanged.
4. Obtain and study the CEAOB’s September 2024 guidelines and ISSA 5000. These are your interim standards until the EU adopts harmonised limited assurance standards (deadline: 1 July 2027). The CEAOB guidelines are available on the European Commission’s finance portal.
5. Start conversations with current audit clients who may fall within scope for FY 2027. Understand where they are in their CSRD preparation. If their DMA hasn’t started, flag that the double materiality assessment is the foundation of the entire report and should begin at least 12 months before the first reporting date.
6. Run a pilot. Pick one client, perform a dry-run DMA review and a gap assessment of their sustainability data processes. You’ll learn more in one pilot engagement than in 40 hours of training.

Common mistakes in first-year CSRD assurance

• Treating CSRD as an extension of the financial audit: The AFM’s 2026 review found that some assurance teams treated CSRD engagements as extensions of the financial audit rather than distinct engagements. This led to insufficient risk assessment specific to sustainability information, particularly around value chain data and non-financial estimates.
• Not challenging a superficial DMA: EFRAG’s implementation guidance (IG 1) flags that entities frequently underestimate the granularity required in the double materiality assessment. Assurance practitioners who don’t challenge a superficial DMA end up providing assurance over a sustainability statement that may omit material topics entirely.
• Missing ESRS 1 cross-cutting requirements: The CEAOB guidelines emphasise that the practitioner must evaluate whether the entity’s sustainability statement complies with the ESRS as a whole, not just the individual disclosures. Missing the cross-cutting requirements in ESRS 1 (paragraph 31 on omitting non-material information, paragraph 56 on aggregation) is a frequent gap in first-year reports.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• Directive (EU) 2022/2464 (CSRD): the source directive requiring sustainability reporting across the EU.
• Directive (EU) 2026/470 (Omnibus I): the amending directive narrowing CSRD scope to 1,000+ employees and €450M+ turnover.
• ISSA 5000, General Requirements for Sustainability Assurance Engagements: the IAASB’s international standard for sustainability assurance.
• CEAOB September 2024 guidelines: interim EU-level expectations for limited assurance over CSRD sustainability statements.