CSRD Limited Assurance vs Reasonable Assurance

What limited and reasonable assurance actually mean

The distinction comes from ISAE 3000 (Revised). Paragraph 11 defines reasonable assurance. Paragraph 12 defines limited assurance. Both are assurance engagements. Both require the practitioner to obtain evidence and exercise professional judgement. The difference is the level of evidence required and the form of the conclusion.

In a reasonable assurance engagement, the practitioner designs and performs procedures to reduce assurance engagement risk to an acceptably low level. The conclusion is expressed in positive form: “In our opinion, the sustainability information is prepared, in all material respects, in accordance with the ESRS.” This is the same form as a financial audit opinion under ISA 700.

In a limited assurance engagement, the practitioner performs fewer procedures and accepts a higher level of assurance engagement risk. The conclusion is expressed in negative form: “Based on the procedures performed, nothing has come to our attention that causes us to believe the sustainability information is not prepared, in all material respects, in accordance with the ESRS.”

The difference is not cosmetic. A reasonable assurance engagement requires the practitioner to obtain sufficient appropriate evidence to support a positive conclusion. That means testing internal controls over sustainability data and performing substantive procedures on underlying records. A limited assurance engagement primarily relies on inquiries and analytical procedures. The practitioner still needs to understand the entity’s processes and identify areas of higher risk, but the depth of testing is significantly lower.

ISAE 3000 (Revised) paragraph 52 provides the clearest framing. A limited assurance engagement involves performing procedures sufficient to obtain a meaningful level of assurance as a basis for a negative form conclusion. A reasonable assurance engagement involves performing procedures sufficient to obtain reasonable assurance as a basis for a positive form conclusion. “Meaningful” is a lower bar than “reasonable,” but it is not a negligible bar. The practitioner cannot issue a limited assurance conclusion based on inquiries alone.

For sustainability data, this distinction has real consequences. Financial statements are produced from a double-entry system with built-in controls (the trial balance must reconcile). Sustainability data often comes from spreadsheets, manual calculations, operational systems not designed for external reporting, and estimates with wide uncertainty ranges. Testing this data to the level required for reasonable assurance would require practitioners to verify source data, test calculation methodologies, evaluate estimation uncertainty, and assess the completeness of the reporting boundary. That is a substantially larger engagement than the inquiry-and-analytics approach that limited assurance permits.

The form of the conclusion also affects how readers interpret the report. A positive opinion (“in our opinion, the information is fairly stated”) provides direct comfort. A negative conclusion (“nothing has come to our attention”) provides indirect comfort. Both are meaningful, but investors and regulators interpret them differently. A reasonable assurance opinion carries the same weight as a financial audit opinion. A limited assurance conclusion carries less.

How the CSRD originally planned the transition

The original CSRD (Directive 2022/2464) envisaged a two-phase approach to sustainability assurance.

Phase 1 was limited assurance from the outset. Every company within the CSRD’s scope was required to obtain limited assurance over its sustainability report starting from its first reporting year. The Commission was tasked with adopting limited assurance standards by 1 October 2026.

Phase 2 was a conditional transition to reasonable assurance. Article 26a of the Audit Directive (as amended by the CSRD) required the Commission to assess whether a transition to reasonable assurance was feasible for both preparers and assurance providers. Based on that assessment, the Commission would adopt reasonable assurance standards by 1 October 2028. The CSRD did not mandate reasonable assurance on a fixed date. It created a mechanism for the Commission to mandate it if the feasibility assessment supported it.

In practice, even the limited assurance timeline slipped. The Stop-the-Clock Directive (adopted April 2025) postponed Wave 2 and Wave 3 reporting by two years. The Omnibus I proposal (February 2025) extended the limited assurance standard deadline from October 2026 to July 2027. And then Omnibus I deleted the reasonable assurance pathway altogether.

The rationale for the deletion is documented in the legislative history. The Commission’s impact assessment noted that sustainability reporting practices were still maturing. Companies were struggling to produce assured data at the limited assurance level. Requiring reasonable assurance would have added costs that many preparers could not absorb, particularly given the simultaneous burden of ESRS data collection. The European Parliament’s negotiating position explicitly supported removing the reasonable assurance upgrade.

What Omnibus I changed

The Omnibus I Directive (Directive 2026/470, published 26 February 2026) made two changes to the assurance framework.

First, it postponed the deadline for the Commission to adopt harmonised limited assurance standards from 1 October 2026 to 1 July 2027. This gives the Commission more time to finalise the standards, which will need to reflect the simplified ESRS that EFRAG submitted in November 2025.

Second, it deleted the option to amend the limited assurance requirement to reasonable assurance. CSRD reports will remain under limited assurance indefinitely.

This is a structural change, not a timing change. The original CSRD created a mechanism for the Commission to upgrade the assurance requirement. Omnibus I removes that mechanism. There is no pathway in the current legislation for reasonable assurance to become mandatory.

The Commission committed to publishing targeted guidelines to clarify the procedures expected during limited assurance engagements. Those guidelines, expected by 2026, will supplement the harmonised standard when adopted. National regulators (the H2A in France, the IBR/IRE in Belgium, the NBA in the Netherlands) have already published their own interim guidelines. The harmonised EU standard will eventually replace these national approaches.

For audit firms, the immediate implication is that the sustainability assurance practice is a limited assurance practice for the foreseeable future. Firms that had modelled revenue projections based on a transition to reasonable assurance (with its correspondingly higher fees) need to adjust those projections.

The cost implications of each level

The cost difference between limited and reasonable assurance is not marginal. Companies receiving limited assurance face costs of approximately 20 to 30% of their average financial assurance costs. A company paying €200,000 for its financial audit would expect to pay €40,000 to €60,000 for limited sustainability assurance.

Reasonable assurance would have pushed that range to 50 to 70% of financial audit fees, based on the additional procedures required. The same company would pay €100,000 to €140,000. For a mid-market entity with €50M to €150M in revenue, that difference represents a material additional compliance cost.

The cost difference reflects the work involved. A limited assurance engagement over a sustainability report typically involves 100 to 200 hours of engagement team time for a mid-size entity: planning, inquiries, analytical procedures, reading the report, and issuing the conclusion. A reasonable assurance engagement would have required 300 to 600 hours for the same entity, adding controls testing, substantive data verification, and expanded documentation.

With reasonable assurance off the table, the cost structure of sustainability assurance will stabilise at the limited assurance level. There is no regulatory driver to push fees higher. Voluntary adoption of reasonable assurance by individual clients remains possible but will be rare, likely limited to entities that want to signal the highest credibility to capital markets.

How the two levels differ in practice

The procedural difference between limited and reasonable assurance changes the nature of the work, not just its volume.

Under limited assurance, the practitioner’s primary procedures are inquiries of management and persons responsible for sustainability reporting, combined with analytical procedures over the sustainability data (comparing reported figures against expectations, investigating significant variances). The practitioner also reads the sustainability report for consistency with their understanding of the entity.

The practitioner does not test internal controls over sustainability data as a standalone procedure. The practitioner does not perform detailed substantive testing of source data. The practitioner does not seek external confirmations of sustainability information from counterparties. These would be required under reasonable assurance.

Under reasonable assurance, the practitioner would need to understand and evaluate the entity’s internal controls over sustainability data (analogous to understanding the control environment under ISA 315). Where controls are relied upon, they would need to be tested for operating effectiveness. Substantive procedures would include testing source data (for example, verifying energy consumption figures against utility invoices), recalculating derived metrics (for example, recomputing Scope 1 emissions from activity data and emission factors), and evaluating estimation methodologies.

The implications for engagement timing are significant. A limited assurance engagement can typically be completed in a fraction of the time required for the financial audit. A reasonable assurance engagement would require engagement planning and interim fieldwork on controls, followed by year-end substantive testing, mirroring the financial audit cycle.

Worked example: testing a Scope 2 emissions figure

Client: Van Leer Chemicals B.V., Rotterdam. Annual revenue: €1.8B. Employees: 2,200. Reported Scope 2 (location-based): 14,200 tCO2e. Data source: energy invoices from four production facilities and two office locations.

Limited assurance procedures

1. The practitioner inquires of the sustainability reporting team about the methodology used to calculate Scope 2 emissions. The team confirms they used location-based emission factors from the AIB European Residual Mix 2024 and applied them to electricity consumption data from the six locations.

2. The practitioner performs an analytical procedure: comparing the reported 14,200 tCO2e against the prior year figure (13,800 tCO2e) and against a rough expectation based on known production volume changes. The 2.9% increase is consistent with the 4% increase in production volume, suggesting no anomaly.

3. The practitioner reads the Scope 2 disclosure in the sustainability report and checks that the methodology description is consistent with what was explained during the inquiry. No inconsistencies are identified.

4. The practitioner does not verify individual energy invoices, does not recalculate the emissions figure from source data, does not test the completeness of the location list, and does not evaluate the appropriateness of the emission factors selected. These procedures are not required under limited assurance.

The distinction matters for the quality of the assurance conclusion. Steps 1 to 3 will catch internal inconsistencies and obvious analytical anomalies. They will not catch a systematically incorrect emission factor, a missing facility, or a spreadsheet formula error that overstates or understates the figure by 15%. Those errors typically surface only through the substantive procedures described below.

Reasonable assurance procedures (hypothetical, no longer required)

5. The practitioner would obtain a complete list of energy meters and supply contracts for all six locations. They would reconcile this list against the locations included in the Scope 2 calculation to test completeness.

6. The practitioner would select a sample of energy invoices (two months from each of the four production facilities) and agree the consumption figures to the data used in the emissions calculation.

7. The practitioner would recalculate the Scope 2 figure using the source data and the stated emission factors, comparing the result to the reported 14,200 tCO2e.

8. The practitioner would evaluate whether the location-based method is appropriate given the entity’s circumstances and whether the market-based method would produce a materially different result. If contractual instruments (such as Guarantees of Origin) exist, the practitioner would assess whether the market-based figure should also be disclosed.

The limited assurance engagement (steps 1 to 3) takes hours. The reasonable assurance engagement (steps 5 to 8, added on top of steps 1 to 3) takes days.

What this means for audit firms

The removal of reasonable assurance from the legislative roadmap has four consequences for audit firms.

First, fee levels for sustainability assurance will stabilise at the limited assurance level. Without a mandatory upgrade to reasonable assurance, there is no regulatory driver to push fees higher. Voluntary adoption of reasonable assurance by individual clients will be rare.

Second, the competence requirements for engagement teams are lower than they would have been under reasonable assurance. Limited assurance does not require practitioners to evaluate internal controls over sustainability data or perform substantive source-data testing. The skills required are closer to those of a review engagement than a full audit. This lowers the barrier to entry for mid-tier firms building sustainability assurance practices.

Third, the risk of assurance quality issues is concentrated in the areas where limited assurance is weakest: data completeness and the accuracy of estimates with wide uncertainty ranges. A limited assurance engagement is unlikely to detect a missing emissions source or an incorrect emission factor, because those findings typically emerge from substantive testing, not from inquiries and analytics.

Fourth, the harmonised EU limited assurance standard (expected by July 2027) will replace the patchwork of national guidelines currently in use. Firms operating across multiple EU jurisdictions will benefit from a single standard. Until then, the H2A guidelines (France), the IBR/IRE draft standard (Belgium), and the NBA guidelines (Netherlands) each contain jurisdiction-specific provisions.

The IAASB’s work on ISSA 5000 (the proposed international standard for sustainability assurance) is proceeding in parallel. ISSA 5000 covers both limited and reasonable assurance engagements. Even though the CSRD no longer requires reasonable assurance, ISSA 5000 will provide a framework for firms that want to offer it voluntarily. The interaction between ISSA 5000 and the EU harmonised standard will need to be carefully managed once both are finalised.

One additional consideration: the removal of reasonable assurance does not mean the limited assurance standard will be weak. The Commission’s guidelines and the eventual harmonised standard are expected to set clear expectations for the depth of analytical procedures, the extent of inquiry procedures, and the documentation standards for limited assurance engagements. National regulators like the H2A have already set a high bar in their interim guidelines. Limited assurance under the CSRD is not the same as a cursory review. It is a structured engagement with defined procedures and a professional conclusion.

For firms serving clients that operate in both EU and non-EU jurisdictions, the divergence between CSRD (limited assurance only) and other regimes is worth noting. The ISSB standards adopted by various jurisdictions do not mandate a specific level of assurance. Some national regulators may require reasonable assurance over climate disclosures in future. Firms with international practices need to track these divergences to avoid applying the wrong assurance level to the wrong report.

Practical checklist

1. Update your sustainability assurance methodology to reflect the Omnibus I position: limited assurance only, no reasonable assurance upgrade on the legislative horizon. Remove any references to a phased transition in your engagement templates and client communications.
2. Adjust revenue projections for sustainability assurance engagements. If your business case assumed a transition to reasonable assurance fees (50 to 70% of financial audit fees), revise downward to the limited assurance range (20 to 30%).
3. Review your engagement procedures against ISAE 3000 (Revised) paragraph 12 and the applicable national guidelines (H2A, IBR/IRE, or NBA depending on jurisdiction). Confirm that your procedures meet the “meaningful level of assurance” threshold without over-engineering the engagement.
4. Track the Commission’s progress on the harmonised limited assurance standard (deadline: 1 July 2027). When published, update your methodology promptly. The standard will supersede national guidelines.
5. For clients that request reasonable assurance voluntarily, scope the engagement separately. Document in the engagement letter that the reasonable assurance engagement is a contractual matter, not a statutory requirement under the CSRD.
6. Ensure your engagement team understands the difference between limited and reasonable assurance procedures, particularly for environmental data points like emissions calculations. The risk of over-auditing (performing reasonable assurance procedures on a limited assurance engagement) is a cost issue. The risk of under-auditing is a quality issue.

Common mistakes

• Telling clients that reasonable assurance is “coming in 2028 or 2030.” This was true under the original CSRD but is no longer correct. Omnibus I deleted the transition mechanism. Repeating outdated guidance undermines credibility with clients who track the regulation themselves.
• Performing controls testing on a limited assurance engagement without a specific risk-based justification. ISAE 3000 (Revised) does not prohibit additional procedures, but performing them increases cost without increasing the required level of assurance. If you test controls, document why the risk assessment warranted it.
• Using a financial audit opinion template (positive form) for a limited assurance report. The conclusion must be expressed in negative form under ISAE 3000 (Revised) paragraph 12. National model reports (H2A, IBR/IRE) provide the correct format. Getting the conclusion form wrong invalidates the entire report.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• ISAE 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information: the overarching standard defining limited and reasonable assurance.
• Omnibus I (Directive (EU) 2026/470, published 26 February 2026): removed the reasonable assurance upgrade pathway and extended the limited assurance standard deadline to 1 July 2027.
• CSRD (Directive 2022/2464): the original Corporate Sustainability Reporting Directive, including the now-deleted Article 26a reasonable assurance provisions.
• ISSA 5000, International Standard on Sustainability Assurance: the IAASB’s standard covering both limited and reasonable assurance for sustainability engagements.