Of all the requirements in California’s SB 253, Scope 3 is the one keeping sustainability and finance teams up at night. Scope 1 and Scope 2 emissions are mostly controllable: you know your facilities, your utility bills, your fleet. Scope 3 is the inverse. It requires your suppliers, customers, and logistics partners to give you data they may not have measured themselves. And starting in 2027, you need to disclose it publicly and have a third party assure it.
This is not a theoretical challenge. European companies spent the better part of 2023 and 2024 learning exactly how hard Scope 3 is under CSRD, a regulation with nearly identical structural requirements. US companies can learn from that experience. The key lessons are practical, and the time to apply them is now.
Table of contents
- Why Scope 3 is the bottleneck
- What “assurance” on Scope 3 actually means
- What European companies learned under CSRD
- How Dcycle addresses Scope 3 under SB 253
Why Scope 3 is the bottleneck
The GHG Protocol defines 15 Scope 3 categories spanning the full upstream and downstream value chain. Under SB 253, companies must disclose all material Scope 3 categories. Determining which categories are material, collecting the underlying data, and applying a consistent methodology is where the real work lies.
Supplier data gaps are the most common problem. For Category 1 (purchased goods and services), the gold standard is primary data from each supplier: actual emissions per unit of product or service delivered. In practice, most suppliers have not measured their emissions, do not have verified figures, and respond inconsistently or not at all to data requests. Companies end up relying on spend-based estimates, which are less accurate but more readily available.
Boundary decisions create another layer of complexity. Which subsidiaries are included? Do joint ventures fall in scope? What is the cutoff for small suppliers? These decisions must be documented, defensible, and consistent year over year. Changing boundaries between reporting periods makes trend analysis meaningless and raises flags for assurance providers.
Methodology consistency is a third issue. Scope 3 calculations can use multiple approaches: activity-based calculations, spend-based estimates, supplier-specific data, industry average data. Each category may require a different approach based on data availability. Documenting which methodology was used for each category, why, and how factors were selected is labor-intensive without the right tooling.
Category 11 (use of sold products) and Category 15 (investments) are particularly complex for manufacturing, financial services, and technology companies. These categories often represent the single largest share of a company’s Scope 3 footprint, and they require assumptions about product lifespans, customer behavior, and portfolio allocation that are both contested and auditable.
What “assurance” on Scope 3 actually means
SB 253 requires third-party assurance of emissions disclosures. For Scope 3, assurance means something specific: an independent assurance provider must review the reported figures and reach a conclusion about whether they are materially correct.
At the limited assurance level (the initial requirement), the provider conducts procedures and confirms there is nothing that causes them to believe the data is materially misstated. This is not a rubber stamp. Providers will ask for:
- Documentation of which Scope 3 categories are included and which are excluded, with rationale
- Evidence of the emission factors used for each calculation
- Data sources for activity data (invoices, logistics records, supplier questionnaires)
- Documented methodology for each category, including assumptions
- Evidence of internal review and sign-off before submission
If this documentation does not exist in a structured, accessible form, the assurance engagement becomes a remediation project first. That costs time and money, and typically delays the first compliant filing.
At the reasonable assurance level (required at a later stage under SB 253), the standard is higher. The provider must positively confirm the data is accurate, not merely note the absence of obvious problems. This requires more extensive testing, direct confirmation from data sources, and a more rigorous review of methodology choices.
What European companies learned under CSRD
CSRD has required mandatory Scope 3 disclosure from large European companies since 2024, with assurance requirements phased in alongside. The implementation experience reveals several patterns that US companies should factor into their SB 253 planning.
Starting too late on supplier engagement is the most common mistake. Companies that waited until six months before their first filing to send supplier questionnaires found response rates under 20%. Meaningful supplier data collection requires at least 12 to 18 months of relationship building, clear ask templates, and follow-up processes. Companies that ran that process well in advance had significantly better primary data coverage and fewer assurance exceptions.
Spend-based estimates are fine to start, but they cannot be the entire methodology. Assurance providers under CSRD flagged companies that relied entirely on spend-based figures for high-materiality categories, particularly Category 1. Regulators expect that over time, companies shift from generic estimates to supplier-specific or activity-based data for their most significant categories. Starting the transition now, even for a subset of key suppliers, is better than defending an entirely estimate-based inventory to an assurance provider.
Materiality thresholds need to be documented upfront. European companies that had not pre-defined their materiality threshold (the cutoff below which a Scope 3 category is considered not material and therefore excluded) faced difficult conversations during assurance. The threshold itself is not prescribed, but the rationale for it must be defensible. Define it early, document it, and apply it consistently.
Multi-entity structures amplify every challenge. Companies with subsidiaries in multiple countries found that Scope 3 data collection had to be managed at the entity level, then consolidated. Different entities had different suppliers, different data systems, and different levels of ESG maturity. Without a centralized data management layer, consolidation was a manual process prone to error.
The firms that moved fastest had integrated data infrastructure. The CSRD implementation leaders in Europe were not the companies with the largest ESG teams. They were the companies that had data collection tooling in place across their entities before the first reporting cycle. That infrastructure cut data collection time by 60 to 70% compared to spreadsheet-based processes.
How Dcycle addresses Scope 3 under SB 253
Dcycle was built for exactly this problem. The platform currently supports Scope 3 reporting for over 2,000 companies under CSRD and GHG Protocol frameworks, and the same infrastructure applies directly to SB 253.
Supplier engagement module: Dcycle includes structured supplier data request workflows, covering questionnaire design, automated reminders, response tracking, and data validation. Companies can segment their supply chain by category and materiality, prioritize high-impact suppliers for primary data collection, and fall back to spend-based estimates where primary data is unavailable. All supplier responses are stored with version control and linked to the specific reporting period.
Multi-framework data layer: For companies with both CSRD and SB 253 obligations, Dcycle collects Scope 3 data once and maps it to both frameworks simultaneously. There is no parallel data entry, no reconciliation effort between separate systems, and no risk of reporting different figures to different regulators from the same underlying data.
Audit trail per data point: Every Scope 3 figure in Dcycle carries a complete evidence chain: the activity data source, the emission factor applied, the calculation logic, the person who entered the data, and the date. This documentation layer is what an assurance provider reviews. Companies that build their inventory in Dcycle are assurance-ready by default.
Multi-entity management: Dcycle handles complex organizational structures natively. A parent company with 20 subsidiaries can run entity-level data collection in parallel, review progress by entity, and consolidate into a single group-level Scope 3 inventory without manual aggregation.
Advisory support: Dcycle’s team includes sustainability experts who have guided companies through CSRD assurance cycles in Germany, Spain, France, and the Netherlands. The Scope 3 methodology decisions that generated friction during those assurance engagements are exactly the decisions US companies need to make now, before their first filing.
To understand what a Scope 3 inventory looks like inside Dcycle and how it prepares for assurance, request a demo.
For a broader overview of SB 253 obligations, read SB 253: who must comply, what to disclose, and by when. For practical steps before your first deadline, read SB 253 deadlines: what to do now to be ready for 2026.