← Back to CSRD Insights
Insights

CSRD Limited Assurance After the Omnibus: What's Settled, What's Interim, and How to Prepare

Editorial cover for a post on CSRD limited assurance. Diagrammatic/typographic: an audit checkmark or assurance seal, a document with a "limited assurance" stamp, a subtle scale comparing limited vs reasonable assurance. Petrol-teal and amber on warm off-white. No leaves, no globes, no stock office photos.

The assurance question that hung over CSRD for two years is now answered. The Omnibus I Directive - in force since 18 March 2026 - permanently removed the obligation to escalate from limited to reasonable assurance. For Wave 1 companies already in their second reporting cycle, that settles the planning horizon. Limited assurance is where CSRD stays, indefinitely.

This article explains what limited assurance actually requires, why the Omnibus froze it there, which standards your auditor is working to right now, and what you need to have ready before the engagement starts.


What "limited assurance" actually means

Limited assurance is not a lighter version of a financial audit. It is a different type of engagement with a different conclusion.

Under a limited assurance engagement, the practitioner performs enquiries, analytical procedures, and targeted testing - but does not gather the volume of evidence required for a full audit. The conclusion is expressed as a negative statement: nothing has come to our attention to suggest the sustainability statement is not prepared, in all material respects, in accordance with the applicable requirements.

Compare that to reasonable assurance - the standard used in financial audits - where the auditor gathers sufficient evidence to express a positive opinion: in our view, the statement is fairly presented. More evidence, more procedures, higher cost.

The CSRD requires limited assurance over the sustainability statement from the first year of application. That requirement was not changed by the Omnibus. What changed is the escalation path: the previously planned move to reasonable assurance has been deleted from the legislation entirely.


What the Omnibus I Directive changed - and what it didn't

The Omnibus I Directive was published in the Official Journal of the EU on 26 February 2026 and entered into force on 18 March 2026.

On assurance, it made two specific changes:

1. Reasonable assurance is permanently off the table. Under the previous rules, the Commission was required to assess the feasibility of transitioning to reasonable assurance and adopt corresponding standards by October 2028. The Omnibus Package removes this obligation, meaning that CSRD reports will remain under limited assurance indefinitely. This eliminates the possibility of stricter assurance requirements in the future, reducing the compliance burden on companies.

2. The deadline for EU limited assurance standards was postponed. The Omnibus postpones the deadline for the European Commission's adoption of limited assurance standards from October 1, 2026, to July 1, 2027. This is a change from the original EC proposal, which had proposed removing the requirement to adopt limited assurance standards altogether. The standards will still be adopted - just later.

What did not change: the CSRD continues to require limited assurance over sustainability reporting from the first year of application. Wave 1 companies reporting for FY2025 are subject to assurance now, under the current interim framework.


Which standards apply in the interim?

Until EU-wide limited assurance standards are adopted (deadline: 1 July 2027), assurance providers rely on existing international standards and the CEAOB guidelines published in September 2024.

In the current period, CSRD assurance engagements are performed under ISAE 3000 (Revised). As of early 2025, more than 70 CSRD reports across 16 European jurisdictions had been published under ISAE 3000 limited assurance.

In March 2023, the Commission invited CEAOB to develop non-binding guidelines, which were published on 30 September 2024. These guidelines do not constitute a standard and should be read alongside any national rules applicable to sustainability reporting assurance.

The aim of these non-binding guidelines is to create a common understanding of the key points for the limited assurance of sustainability information. The CEAOB guidelines provide non-binding recommendations on limited assurance, serving as a temporary reference point until the European Commission adopts formal standards. The goal is to bridge the gap and ensure consistency in assurance of sustainability reports across jurisdictions.

Looking ahead: from December 2026, ISSA 5000 becomes effective for sustainability assurance engagements. ISSA 5000 is a standalone standard - practitioners applying it do not also need to apply ISAE 3000. ISSA 5000 introduces sustainability-specific concepts including double materiality, value chain considerations, qualitative disclosures, and forward-looking information. The EU's formal limited assurance standard, due by July 2027, is expected to be built on ISSA 5000 with EU-specific add-ons.

info Note

The standards timeline in brief:

  • Now: ISAE 3000 (Revised) + CEAOB 2024 guidelines
  • December 2026: ISSA 5000 becomes effective (early adoption already permitted)
  • By 1 July 2027: EU Commission adopts formal limited assurance standards via delegated act

Your assurance provider will tell you which standard they are applying. Ask early — it affects the scope of their procedures.


How to prepare for your assurance provider

Limited assurance is less burdensome than a financial audit, but it is not a rubber stamp. Auditors performing CSRD engagements will test the process behind the numbers, not just the numbers themselves. The following areas consistently generate findings in early Wave 1 engagements.

1. Document your double materiality assessment (DMA)

The DMA is the foundation of your sustainability statement - it determines what you report. Your assurance provider will test whether the process was sound, not just whether the output looks reasonable.

You need to be able to show: the methodology used, the stakeholder engagement conducted, the criteria applied to determine materiality thresholds, and the rationale for topics assessed as not material. A well-documented DMA is one of the highest-value investments you can make before the auditor arrives. For a step-by-step guide, see our double materiality assessment guide.

2. Build an audit trail for ESG data

For every quantitative disclosure - emissions figures, headcount data, energy consumption, injury rates - you need a clear chain from source to reported number. That means:

  • Source documentation: raw data from meters, HR systems, invoices, or supplier responses
  • Calculation records: spreadsheets or system outputs showing how source data was aggregated or converted
  • Version control: evidence that the final reported figure matches the final calculation, not an earlier draft

Auditors will sample disclosures and trace them back. Gaps in the chain create findings.

3. Establish controls over ESG data

Management's responsibility is not reduced just because the sustainability information is subject to limited assurance. Assurance providers will look for evidence that someone inside the organisation reviewed and approved the data before it was reported - not just that the data exists.

Basic controls to have in place:

  • A named data owner for each material topic
  • A review and sign-off step before data enters the sustainability statement
  • A process for identifying and correcting errors found after initial collection

4. Prepare your value chain data with caveats documented

There may be inherent limitations in achieving data availability and quality, which can be particularly challenging for value chain information. Auditors understand this. What they need to see is that you made reasonable efforts to obtain the data, documented what you could not get and why, and applied estimates consistently where direct data was unavailable.

5. Run an internal review before the auditor arrives

Do not wait for the assurance engagement to discover gaps. Assign someone - internal audit, a finance controller, or an external adviser - to walk through the sustainability statement against the underlying evidence before the practitioner starts. Issues found internally are far easier to resolve than issues raised in a formal finding.


The bottom line

The Omnibus I Directive has done something useful: it removed the uncertainty. CSRD assurance is limited assurance, it stays at limited assurance, and the EU standard that will define exactly what that means is due by 1 July 2027. Until then, your auditor works to ISAE 3000 and the CEAOB 2024 guidelines.

For Wave 1 companies, the practical implication is straightforward. The assurance bar is not going to rise. But it is also not going away. The time to build the documentation, controls, and audit trail is before the engagement starts - not during it.


This article is for information purposes only and does not constitute legal or professional advice. Consult a qualified assurance provider or legal adviser for guidance specific to your situation.