Introduction

Independent verification of greenhouse gas emissions data is transitioning from a voluntary best practice into a mandatory legal obligation on both sides of the Atlantic. Under California’s SB 253, limited assurance on Scope 1 and 2 emissions becomes mandatory in 2027, while the EU’s Corporate Sustainability Reporting Directive has required limited assurance from the first reporting year. What those mandates demand from your data systems, internal controls, and governance structures is the strategic question every CSO and executive team must resolve before the compliance window closes.

Key Takeaways

• GHG assurance is not an audit of your sustainability strategy — it is an independent examination of whether your emissions data is free from material misstatement
• Under California SB 253, no assurance was required for the 2026 first filing, but limited assurance on Scope 1 and 2 emissions becomes mandatory starting in 2027, with reasonable assurance phased in by 2030 per the original statute
• Under CSRD post-Omnibus I, limited assurance is mandatory from the first reporting year and will remain at that level permanently — the planned transition to reasonable assurance has been removed
• Limited and reasonable assurance are not versions of the same process; they differ fundamentally in depth, evidence requirements, and operational burden on the reporting company
• The window for building assurance-ready data infrastructure is H2 2026 — before mandatory deadlines activate and before qualified verifier capacity becomes constrained

What Is GHG Assurance and Why Is It a Board-Level Obligation?

GHG assurance is the process by which an independent, qualified third party evaluates whether a company’s reported greenhouse gas emissions are free from material misstatement. It is not a review of your sustainability ambitions, your net zero targets, or your decarbonization roadmap. It is a structured, evidence-based examination of a specific question: does the data you have reported to regulators accurately reflect the emissions produced by your organization, calculated in accordance with an accepted methodology such as the GHG Protocol?

This distinction matters at the executive level because assurance is fundamentally a data governance question, not a sustainability communications question. The auditor examining your Scope 1 and 2 inventory is asking the same foundational questions that a financial auditor asks of your accounts: are the numbers traceable to source data, are the calculation methodologies consistently applied, and are the estimates supported by documented assumptions?

The shift from voluntary to mandatory assurance reflects a global regulatory consensus that disclosed emissions data must carry the same credibility as financial disclosures. Investors, lenders, and regulators are making capital allocation and enforcement decisions on the basis of emissions reports. Without independent verification, those decisions rest on unaudited figures. Both California and the European Union have moved to close that gap through legislation, and both have attached material financial penalties to non-compliance.

Under SB 253, companies that fail to file emissions reports or submit materially incomplete data face administrative penalties reaching $500,000 per reporting year. Under CSRD, sustainability disclosures sit inside the annual management report and carry the same regulatory and legal weight as financial statement disclosures, with member state-level enforcement mechanisms applicable. These are not reputational consequences — they are financial and legal liabilities that belong on the board agenda and in audit committee discussions alongside any other material compliance obligation.

The SB 253 Assurance Schedule: What California Requires and When

California’s Climate Corporate Data Accountability Act (SB 253) introduced a phased assurance schedule that gives large companies one transitional year before mandatory verification begins. Understanding that schedule precisely — including where rulemaking is still in progress — is essential for building a credible compliance plan.

For the first reporting cycle, covering Scope 1 and 2 emissions due by August 10, 2026, the California Air Resources Board confirmed that limited assurance is not required. CARB’s December 2024 Enforcement Notice established that companies would not face penalties for the first cycle provided they demonstrate a good faith effort and retain supporting emissions data. This discretion was reaffirmed at CARB’s March 23, 2026 public workshop. The 2026 filing year is a transitional period — not a signal that assurance obligations will remain light.

The assurance mandate activates in 2027. At the March 2026 workshop, CARB confirmed that limited assurance on Scope 1 and 2 emissions will be required beginning with the 2027 reporting cycle, covering fiscal year 2026 data. CARB is currently in the pre-rulemaking phase for 2027 requirements. As part of that process, CARB has proposed five assurance standards from which reporting entities may choose: the International Standard on Sustainability Assurance 5000 (ISSA 5000), ISAE 3000 (Revised) and ISAE 3410 (until December 2026), AICPA AT-C Section 210 for limited assurance or AT-C 205 for reasonable assurance, AA1000AS v3, and ISO 14064-3. Final assurance standards will be addressed through a formal Notice of Proposed Rulemaking, which has not yet been published at the time of writing.

Scope 3 emissions reporting also begins in 2027, covering fiscal year 2026 data. CARB presented three approaches under consideration at the March workshop: broad applicability across all 15 GHG Protocol categories, a sectoral phase-in prioritizing transportation and industrial sectors, and a category-based phase-in starting with the five most widely reported categories, including purchased goods and services, business travel, and employee commuting. Assurance requirements for Scope 3 remain under consideration and will be addressed in the 2027 rulemaking.

The original SB 253 statute contemplates a further escalation: reasonable assurance on Scope 1 and 2 emissions by 2030, with limited assurance on Scope 3 beginning in the same year. Critically, between 2027 and 2030, the statute provides a safe harbor from penalties for good faith misstatements of Scope 3 data — but that protection applies only to companies that are actively building and demonstrating compliance efforts. It does not extend to companies that have deferred preparation or failed to engage with CARB’s ongoing rulemaking process.

The CSRD Assurance Position: How Omnibus I Changed the Rules

The European Union’s approach to GHG assurance under the Corporate Sustainability Reporting Directive follows a different architecture than California’s, and a significant structural change took effect in early 2026 that every globally operating company must understand.

Under the CSRD as originally designed, limited assurance was mandatory from the first reporting year, with a planned escalation to reasonable assurance by October 2028 following a feasibility assessment by the European Commission. The Omnibus I directive, formally published in the EU’s Official Journal on February 26, 2026 as Directive (EU) 2026/470, removed that escalation permanently. As the European Commission’s own summary of the Omnibus package states, the reform keeps the assurance requirement at the level of limited assurance and does not move in the future to the more demanding level of reasonable assurance. This is a deliberate policy decision to reduce compliance costs for reporting entities, and it applies indefinitely.

What has not changed is the core obligation: all companies in scope for CSRD must obtain limited assurance from a qualified third party from their first reporting year. For Wave 1 companies — those previously subject to the Non-Financial Reporting Directive — this obligation began with fiscal year 2024 data, reported in 2025. These companies are now preparing their second annual CSRD report. For Wave 2 companies, those meeting the revised post-Omnibus I thresholds of more than 1,000 employees and €450 million in revenue, the first CSRD report covering fiscal year 2025 data is due in 2026.

There is currently a transitional gap at the EU level. The CSRD requires the European Commission to adopt harmonized limited assurance standards by October 1, 2026. Until those standards are adopted, the Committee of European Auditing Oversight Bodies has published interim guidelines, and member states may apply national assurance standards or pronouncements in the interim period. The Commission’s official deadline for adopting harmonized limited assurance standards has been extended under Omnibus I to July 1, 2027.

One standard that bridges both the EU and US contexts is ISSA 5000. Published by the International Auditing and Assurance Standards Board in November 2024 and effective for assurance engagements on sustainability information reported for periods beginning on or after December 15, 2026, ISSA 5000 is the first comprehensive global framework designed specifically for sustainability assurance. It replaces ISAE 3410 — the standard previously used for GHG statement assurance — which is withdrawn once ISSA 5000 becomes effective. CARB has listed ISSA 5000 as one of its five proposed accepted standards for SB 253, and ISSA 5000 is designed to be compatible with CSRD assurance requirements. For multinational organizations managing both SB 253 and CSRD obligations, ISSA 5000 represents the most operationally efficient convergence point.

What Is the Difference Between Limited Assurance and Reasonable Assurance in GHG Reporting?

This is the question most frequently misunderstood at the executive level, and the confusion has material consequences. Limited and reasonable assurance are not two degrees of the same verification process. They represent fundamentally different engagement structures, evidence demands, and operational burdens — and the gap between them is wider than the terminology suggests.

Limited assurance produces what practitioners call a negative conclusion. The assurance provider states that nothing has come to their attention that causes them to believe the emissions data contains material misstatements. The auditor reaches that conclusion through inquiry, analytical procedures, and targeted testing — a moderate level of scrutiny that focuses on the most significant risk areas without testing the entire population of transactions.

Reasonable assurance produces a positive conclusion: the emissions data is fairly stated in all material respects. Reaching that conclusion requires comprehensive audit procedures, substantive testing at scale, and an assessment of the adequacy of the company’s internal controls over sustainability data. As CSRD Recital 60 states directly: “The amount of work in a reasonable assurance engagement entails extensive procedures including consideration of internal controls of the reporting undertaking and substantive testing, and is therefore significantly greater than in a limited assurance engagement.”

The operational implications of that distinction are significant. Under limited assurance, an auditor may sample a representative subset of supplier transactions and extrapolate findings. Under reasonable assurance, material categories must be tested comprehensively, not sampled. For a large manufacturing company where Scope 3 Category 1 (Purchased Goods and Services) represents the majority of total emissions, the transition from limited to reasonable assurance can demand evidence for the large majority of supplier transactions by emissions contribution — a fundamentally different data collection and documentation challenge.

Regardless of assurance level, the incoming ISSA 5000 standard defines a consistent set of elements that sustainability assurance practitioners examine. These include: compliance of the emissions data with the relevant reporting framework, such as the GHG Protocol; the traceability and integrity of the evidence chain underlying each reported figure; the appropriateness of estimates and assumptions, with documented support for methodological choices; the consistency of narrative disclosures with underlying quantitative data; and the assessment of fraud risk within the sustainability reporting process. A disclosure can be materially misstated through error or through omission — both are within scope for an assurance engagement under ISSA 5000.

The practical message for CSOs and boards is this: the data infrastructure required to pass limited assurance is necessary but not sufficient for reasonable assurance. Companies subject to SB 253 face a statutory trajectory toward reasonable assurance by 2030. Building systems designed only to satisfy the 2027 limited assurance standard creates a near-certain need for costly remediation before the decade ends. The more durable investment is a data architecture designed with reasonable assurance in mind, implemented in stages aligned to the regulatory schedule.

What Executive Teams Must Do in H2 2026 to Be Assurance-Ready in 2027

The 2026 first-filing year under SB 253 — free from mandatory assurance by CARB’s enforcement discretion — is the preparation window. For CSRD companies, that window has already closed: assurance is live. For SB 253 companies, the twelve months between now and the 2027 mandatory deadline represent the most consequential period in your organization’s assurance readiness journey. The following five decisions belong on the CSO’s agenda before year-end.

Confirm your organizational boundary approach. CARB has proposed two methods for establishing which operations are included in an SB 253 emissions inventory: the equity share approach, which accounts for emissions based on ownership percentage, and the operational control approach, which accounts for all emissions from operations over which the company has financial or operational control. The choice affects which facilities, subsidiaries, and joint ventures must be included in the assured inventory. This decision should be made now, before CARB finalizes the 2027 rulemaking, so that data collection systems can be scoped accordingly.

Select your assurance standard. ISSA 5000 is the emerging global convergence point across both SB 253 and CSRD. Effective December 15, 2026, it replaces ISAE 3410 for GHG statement assurance and has been listed by CARB as one of its five proposed accepted standards. For organizations managing both US and EU reporting obligations, aligning on ISSA 5000 early reduces the risk of running parallel assurance processes under different standards. Confirming your standard selection also allows your assurance provider to begin scoping their engagement in advance.

Conduct an internal dry run before mandatory external review. Baker Tilly’s advisory guidance on SB 253 recommends that companies perform an assurance assessment as a dry run in 2026, specifically to identify gaps in documentation, internal controls, and data integrity before the first mandatory external engagement in 2027. This means mapping every data source to the emission figure it supports, documenting the calculation methodology applied, testing the evidence trail that an auditor would follow, and identifying where estimates have been used without adequate supporting documentation. Gaps identified in an internal review are remediation opportunities. Gaps identified by an external auditor during a mandatory engagement are findings that may affect the assurance conclusion.

Engage an independent assurance provider early. Verifier independence is a structural requirement: the organization providing assurance on your emissions data cannot be the same party advising on how to collect or calculate that data. Qualified assurance capacity in the sustainability space is currently under significant demand, with both SB 253 and CSRD creating parallel pools of companies requiring verified disclosures for the first time. Engaging a provider early — before the Q1 2027 reporting season concentrates demand — gives your organization influence over engagement timing, scope negotiation, and the ability to address any pre-engagement data quality issues without time pressure.

Build year-over-year comparability into your data systems now. Both CSRD and SB 253 require consistent, comparable emissions reporting across reporting periods. Auditors will test not only the accuracy of the current period’s data but also whether it can be meaningfully compared to prior periods. This requires methodological consistency, documented reasons for any restatements, and data systems that retain the calculation inputs — not just the final figures — for each reporting year. Organizations that build comparability into their data architecture in 2026 will face significantly fewer audit complications as reporting matures.

For boards and audit committees, the assurance schedule also demands a governance response. CSOs should brief their boards on the cost implications of the assurance ramp — external assurance fees, internal staff time, and data system investment — and on the organizational boundary and standard selection decisions that require executive approval. The Commonwealth Climate Law Initiative’s director guidance for 2026 frames the key board-level questions clearly: what is our reporting, controls, and assurance plan for fiscal years 2025 and 2026; which disclosures rely on estimates or proxies, and what processes are in place to ensure their consistency and explainability; and which EU or US entity will own governance, data collection, and assurance mobilization internally.

The Strategic Imperative: Treat 2026 as Year Zero for Assurance Readiness

GHG assurance is not arriving in 2027 — for companies already subject to CSRD, it is already active. For companies subject to SB 253, the August 10, 2026 filing deadline marks the end of the transitional period, not the continuation of it. The decisions made in H2 2026 — on organizational boundaries, assurance standards, data infrastructure, internal controls, and verifier selection — will determine whether the 2027 assurance engagement is a manageable annual process or a disruptive, penalty-exposed exercise in remediation.

The strategic lesson from the CSRD’s first wave of assurance engagements is that organizations that invested in traceable, well-documented, methodologically consistent data systems before their first mandatory engagement passed with fewer findings and at lower cost than those that treated assurance as a problem to be solved after the deadline. That lesson is directly applicable to the SB 253 cohort preparing for 2027.

Boards and CSOs who treat assurance readiness as a data governance priority — on a par with financial audit readiness — will build the kind of credible, defensible emissions disclosure that regulators, investors, and supply chain partners increasingly require.

Why Work with ASUENE Inc.?

ASUENE is a key player in carbon accounting, offering a comprehensive platform that measures, reduces, and reports emissions, including Scope 1-3. ASUENE serves over 50,000 clients worldwide, providing an all-in-one solution that integrates GHG accounting, ESG supply chain management, a Carbon Credit exchange platform, and third-party verification.

ASUENE supports companies in achieving net-zero goals through advanced technology, consulting services, and an extensive network.