Limited Assurance vs Reasonable Assurance Under CSRD: What Verification Bodies Need to Know in 2026
If you provide sustainability assurance services ,or are preparing to, one distinction will define your engagements more than any other in the next two years:
Limited assurance vs reasonable assurance.
These are not just technical labels. They represent different levels of scrutiny, different procedures, different fee structures, and different risk profiles for you as an assurance provider.
And with the Omnibus I changes now in force, the timeline for each has shifted significantly.
In this article, we explain:
- what limited and reasonable assurance actually mean in practice
- where the CSRD stands on each level right now
- how Omnibus I changes the picture
- and what verification bodies should be building toward
Related reading: ISSA 5000 vs ISAE 3000: Which Assurance Standard Should Verification Bodies Choose for CSRD?
The core distinction: what do these two levels mean?
Definition : Limited Assurance In a limited assurance engagement, the practitioner performs sufficient procedures to reduce the risk of material misstatement to an acceptable level, but that level is higher than in reasonable assurance. The conclusion is expressed in negative form: “Nothing has come to our attention that causes us to believe that the sustainability information is materially misstated.” Limited assurance involves primarily inquiry and analytical procedures rather than extensive testing of underlying data.
Definition : Reasonable Assurance In a reasonable assurance engagement, the practitioner reduces the risk of material misstatement to a low level. The conclusion is expressed in positive form: “In our opinion, the sustainability information is presented fairly, in all material respects.” Reasonable assurance requires substantially more evidence detailed testing of data, controls assessment, and more extensive documentation and is analogous in rigour to a financial audit.
In short: reasonable assurance is significantly more demanding than limited assurance both for the reporting entity and for the assurance provider.
The difference is not just semantic. It translates into:
- more procedures, more time, more documentation
- deeper examination of internal data systems and controls
- higher practitioner competence requirements
- and typically higher engagement fees
Where does CSRD currently stand?
The original CSRD text, before Omnibus I, set the following trajectory:
- Phase 1 (from 2025 reports): limited assurance required
- Phase 2 (from 2028 reports): transition to reasonable assurance
That transition was always ambitious. It assumed that in roughly three years, reporting entities would have mature enough data systems and internal controls to support a higher level of scrutiny and that the assurance market would have sufficient qualified providers.
Neither assumption has been fully met.
What Omnibus I changes and what it does not
Definition : Omnibus I Omnibus I refers to Directive (EU) 2026/470, which entered into force on 18 March 2026. It amends the CSRD and CSDDD, narrowing the scope of mandatory reporting, extending timelines, and simplifying certain ESRS requirements. On assurance specifically, Omnibus I defers the transition from limited to reasonable assurance to at least 2028.
What changes:
The transition to reasonable assurance has been formally deferred to at least 2028. This gives reporting entities more time to build the data infrastructure and internal controls that reasonable assurance requires.
For assurance providers, it means that limited assurance remains the operative standard for the foreseeable future at least for the next two reporting cycles.
What does not change:
Limited assurance is still mandatory for Wave 1 companies reporting on FY 2024 and FY 2025 data. The obligation exists now. Providers need to be ready.
The eventual transition to reasonable assurance has not been cancelled only deferred. The direction of travel remains unchanged. Bodies that do not prepare will find themselves behind when the transition arrives.
Why this matters more than it seems
Many verification bodies make the mistake of treating the reasonable assurance deferral as a signal to deprioritise readiness.
That is a strategic error. Here is why.
Data systems take years to build
The transition to reasonable assurance will require reporting entities to have mature, auditable data pipelines for their sustainability KPIs. Many Wave 1 companies discovered during their first CSRD cycle that their data quality was insufficient even for limited assurance.
Building those systems is a multi-year process. The 2028 deadline is closer than it looks.
Competence gaps cannot be closed overnight
Reasonable assurance demands deeper practitioner skills, particularly in internal controls assessment, sampling methodology, and data system evaluation.
If your team is built for GHG verification under ISO 14064-3, you likely have strong quantitative competencies. But CSRD reasonable assurance also requires qualitative judgement across social, governance, and biodiversity indicators, a different skill set.
According to the IAASB, fewer than 30% of sustainability assurance practitioners currently have experience with reasonable assurance engagements in the sustainability context. The competence gap is real.
Your clients will ask about reasonable assurance readiness
Sophisticated clients, particularly those with investor or regulatory pressure, will begin asking their assurance providers: “Are you ready for reasonable assurance when the time comes?”
Being able to answer confidently with a documented transition plan is a competitive differentiator today.
What verification bodies should build now
Understand the procedural differences in depth
Limited assurance relies primarily on inquiry and analytical procedures. Reasonable assurance requires:
- Testing of internal controls over sustainability data
- Substantive testing of underlying transactions and source data
- Assessment of management’s methodology for estimating non-measured data
- More extensive documentation of the practitioner’s judgement
Map these differences explicitly against your current engagement methodology.
Assess your current limited assurance practice honestly
Before planning for reasonable assurance, make sure your limited assurance engagements are genuinely robust.
Common weaknesses in current practice:
- Reliance on management representations without sufficient corroboration
- Inadequate documentation of the practitioner’s understanding of the sustainability matter
- Insufficient challenge of boundary definitions and scope decisions
- Weak documentation of how double materiality was assessed by the reporting entity
These weaknesses will be exposed either by your accreditation body or by your clients as the market matures.
Build your reasonable assurance methodology progressively
Do not wait for the regulatory deadline to start building.
Develop a draft reasonable assurance methodology now, even if you are not deploying it yet. This means:
- defining your sampling approach for quantitative sustainability data
- documenting your approach to internal controls assessment
- building practitioner competence profiles aligned with ISSA 5000 reasonable assurance requirements
- testing your methodology on a pilot basis with a willing client
Engage your accreditation body on scope extension
If your current ISO 17029 accreditation scope covers only limited assurance (or is GHG-specific), engage your accreditation body now about the pathway to extending scope to CSRD reasonable assurance.
Accreditation body assessments for extended scope take time. Starting the conversation in 2026 gives you a realistic path to readiness by 2028.
Related reading: ISO 14019:2026 – New Requirements for Verification Bodies in Climate Transition and Sustainability Assurance
In summary
| Limited Assurance | Reasonable Assurance | |
| Current CSRD status | Mandatory now for Wave 1 | Deferred to at least 2028 |
| Form of conclusion | Negative (“nothing came to attention…”) | Positive (“in our opinion…”) |
| Primary procedures | Inquiry + analytical procedures | Controls testing + substantive testing |
| Practitioner effort | Moderate | Substantially higher |
| Data system requirements for reporting entity | Basic | Mature, auditable |
| Typical preparation timeline for VVBs | Already operational | 2–3 years minimum |
FAQ : Limited vs Reasonable Assurance Under CSRD
Is limited assurance sufficient to meet CSRD obligations for reporting companies? Yes, for now. Under the current rules (post-Omnibus I), limited assurance is the required level for all in-scope companies. The transition to reasonable assurance has been deferred to at least 2028. However, some companies are voluntarily seeking reasonable assurance to strengthen stakeholder confidence.
Will all companies eventually need reasonable assurance under CSRD? The current direction points to yes, for companies within the CSRD scope. The Omnibus I package deferred the transition, but did not cancel it. The European Commission is expected to publish further guidance on the reasonable assurance timeline before the end of 2026.
What is the difference between an assurance engagement and a GHG verification under ISO 14064-3? A GHG verification under ISO 14064-3 focuses specifically on a greenhouse gas inventory, checking that emissions data has been calculated correctly according to the relevant protocol. A CSRD assurance engagement covers the full sustainability report, including social, governance, and biodiversity indicators, and applies either ISAE 3000 or ISSA 5000 as the assurance standard. Many VVBs with strong GHG verification capabilities are now expanding into broader CSRD assurance.
Can a verification body accredited under ISO 17029 provide both limited and reasonable assurance under CSRD? Yes, provided the VVB’s accreditation scope explicitly covers the relevant level of assurance, and the body demonstrates the required competence, methodology, and ethics compliance (including IESBA alignment under ISSA 5000). Scope extensions require formal assessment by the accreditation body.
Need to assess your readiness for the assurance transition?
Many verification bodies are navigating similar questions right now:
- Is our current limited assurance practice genuinely robust?
- How do we build toward reasonable assurance capability before 2028?
- What does ISSA 5000 require beyond what we currently do?
At Eco Fluent Solutions, we work with verification bodies to:
- audit current engagement practices against ISAE 3000 and ISSA 5000 requirements
- identify competence and methodology gaps for reasonable assurance
- design a structured readiness roadmap aligned with your accreditation body’s expectations
Book a consultation to assess your current practice and plan your transition.
Eco Fluent Solutions is a specialist consultancy in ISO management systems and sustainability governance assurance. We support verification bodies in building accreditation-ready systems, from ISO 17029 compliance to CSRD assurance readiness.
