OpenPeppol SML insourcing - what you need to know
OpenPeppol published the SML Insourcing Plan for 2026 and by end of May all Peppol Certified Service Providers must have made change to new address.
The main point is simple. This is an infrastructure move. It is not a rewrite of the Peppol network. It is not a new way to exchange documents.
The Service Metadata Locator, or SML, is moving from the European Commission’s DG DIGIT environment to OpenPeppol-controlled infrastructure. OpenPeppol says the goal is to gain full operational and contractual control of this critical part of the network, while keeping continuity and stability for Peppol users.
This is an infrastructure move. It is not a rewrite of the Peppol network.
What the SML does
The SML is part of Peppol’s Dynamic Discovery model.
In plain terms, it helps an Access Point find where to send a document. It links a Participant Identifier to the right Service Metadata Publisher, or SMP. The SMP then gives the sender the metadata and technical endpoint needed to deliver the document.
So the SML is not where invoices are created. It is not where business documents are stored. It is part of the lookup layer that helps Peppol routing work.
What is changing
OpenPeppol describes one functional change for Service Providers.
Access Points need to update DNS lookup domains. SMP providers need to update SML registration API endpoints. OpenPeppol also states that the Dynamic Discovery model and SML functionality remain unchanged.
For SMP management, the new Peppol URLs are:
Test: https://api.sml.test.tech.peppol.org/edelivery-sml/
Production: https://api.sml.prod.tech.peppol.org/edelivery-sml/
These replace the current European Commission management URLs.
For Access Point lookup, the new lookup domains are:
Test: participant.sml.test.tech.peppol.org
Production: participant.sml.prod.tech.peppol.org
These replace the current lookup domains in the EC environment.
The timeline
The migration window opened on 19 March 2026. OpenPeppol later confirmed that migration is open for both Access Point lookup and SMP registration.
The key deadlines are:
SMP registrations must move to the new SML registration endpoint by 31 May 2026.
Access Point lookup must move to the new DNS lookup domains by 31 August 2026.
Both test and production environments are in scope. OpenPeppol says changes must be applied to T-SML, the test environment, and SML, the production environment.
Both test and production environments are in scope.
What is not changing
This is the part that matters most for customers.
The Peppol document exchange flow is not being redesigned. The roles of Access Points and SMPs remain the same. The Dynamic Discovery model remains the same.
OpenPeppol says the migration keeps the same functional architecture, including DNS-based participant resolution, management APIs for SMP operations, and the separation between lookup and management. It also states that, from an external integration view, the SML keeps the same service interfaces and operational model.
That means this is not a new platform build. It is a controlled infrastructure transition.
It is also not a new Testbed accreditation exercise based on the published scope. The official plan lists the required Service Provider work as DNS lookup updates for Access Points and SML registration endpoint updates for SMP providers. The OpenPeppol Testbed remains the normal place for conformance testing and self-assessment.
Why it still needs care
Low risk does not mean no risk.
A missed DNS setting can break lookup. A stale endpoint can block participant registration. A test update that is not repeated in production can cause confusion later.
The work is small, but it needs to be done cleanly. Service Providers should check their configuration, update both test and production, and monitor lookup and registration after the change.
Service Providers should check their configuration, update both test and production, and monitor lookup and registration after the change.
What this means for Arratech customers
For Arratech customers, we have already handled this change as part of our managed Peppol-as-a-sservice.
We have updated the required SML domains and registration endpoints. We monitor the migration path and help reduce the risk of disruption.
Our customers do not need to redesign their Peppol setup. They do not need to change document flows. They can focus on rollout planning, business continuity, and customer onboarding.
Arratech provides Peppol-as-a-Service with an API-first architecture. Customers can use Arratech’s Access Point and SMP services, or choose White label Access Point and SMP options. Arratech Connect also gives teams a web-based way to manage onboarding alongside the API.
Security and continuity also matter during network changes. Arratech’s security overview states that Arratech operates an ISO/IEC 27001-certified information security management system and an ISO 22301-certified business continuity management system. It also describes controls such as encryption, 24/7 security monitoring, secure development, and disaster recovery.
Let Arratech handle your White Label Access Point infrastructure
The Peppol SML insourcing plan is a sign of a maturing network. OpenPeppol is taking direct control of a key infrastructure layer. For Service Providers, the work is clear: update lookup domains, update registration endpoints, and do it before the deadlines.
Arratech handles these changes across our Peppol services.
We offer both White label and Shared options in all territories where we operate. That gives service providers, software vendors, enterprises, and public sector teams a practical choice. Use Arratech’s managed infrastructure, or run a White label setup with Arratech behind it.
Need to know if your Peppol setup is ready for the SML migration? Contact Arratech. We can review your current AP and SMP setup, handle the migration work, and help you choose the right Shared or White label model.
General
Peppol is an international network that allows companies and public bodies to exchange electronic documents like invoices, orders, and catalogues in a standard and secure way. Think of it as a global mail system for business documents, where everyone follows the same rules so messages always arrive in the right format.
It works through three core pieces.
- Access Points handle sending and receiving documents on behalf of organisations.
- Standardized formats managed by OpenPeppol organisation ensures every document that enters the network follows shared standards.
- The Service Metadata Publisher (SMP) tells the network where a participant can be reached and which document types they support.
When you send a document through your Access Point, it uses the SMP to find the recipient’s details, delivers the message to their Access Point, and confirms it was sent correctly. No custom integrations, no manual processing, just reliable digital exchange across borders and systems.
Short answer: Yes.
Either you can register with OpenPeppol and setup your own Access Point and SMP or use a Peppol certified Access Point provider such as Arratech. You can either use a white-labeled option where you maintain full ownership while your Access Point provider handles hosting, maintenance, and operations.
Alternatively you can use a Shared Access Point if you are looking to reduce Peppol membership fees and simplify local accreditation. Using a shared Access Point, your provider will register you in the Peppol network, giving your organization a unique Peppol Participant ID and publishing your details on a Service Metadata Publisher (SMP). This registration makes you visible and reachable to all other Peppol users globally.
Step 1: Become a Member of OpenPeppol
Step 2: Sign the Service Provider Agreement
Step 3: Configure Technical Infrastructure to Meet Peppol Standards
Step 4: Complete Conformance Testing via the Peppol Testbed
Step 5: Obtain the Production PKI Certificate and Go Live
Read a comprehensive explanation of these steps in our white paper.
Peppol is supported by a large and growing number of accounting, ERP, and specialized e-invoicing platforms globally.
Instead of integrating the Peppol network directly, most businesses use an Access Point service provider (such as Arratech), which operates the Access Point and/or SMP on behalf of the business. Dedicated e-invoicing infrastructure providers (e.g. Arratech) allows you to integrate your Access Point with your existing software via an API.
It depends. Many countries require Peppol-based e-invoicing, especially for business-to-government (B2G) transactions, but it is not uniformly mandatory across all countries or industries. For example, while one country may mandate Peppol for all suppliers to public bodies, another may only recommend it.
Check the specific regulatory requirements of your country and the countries you trade with, as compliance varies by jurisdiction. You can use a compliance resource like Pagero’s “Regulatory Atlas” to verify whether Peppol is mandatory or optional for the specific countries you are interested in.
You can get a Peppol identified (Participant ID) by registering with a Peppol certified Access Point provider. Your provider can create the participant ID for your organisation and publish it in the Peppol network so you can send and receive transactions in the network.
Yes you can, many accounting softwares and web-based invoicing tools use Peppol certified Access Point-as-a-service providers to integrate e-Invoicing directly into their solutions.
| Feature | Digital Invoicing (Broad Term) | Peppol-based e-Invoicing |
|---|---|---|
| Data Format | Unstructured or semi-structured. Includes human-readable formats like PDFs sent via email, or scanned paper. | Structured data. The invoice is machine-readable XML (using the Peppol BIS standard), not just a visual document. |
| Processing | Requires manual data entry or high-cost Optical Character Recognition (OCR) by the recipient. | Automatic, straight-through processing directly into the recipient's accounting system without human intervention. |
| Network | Point-to-point (Sender <-> Receiver) typically via email. Requires prior agreements. | Interoperable Network (Four-Corner Model) via certified Access Points. Connect once to reach all Peppol users globally. |
The time it takes depends on your chosen method, but it is generally a fast process if you integrate with a Peppol certified Access Point provider that meets your requirements.
Simple integration: If you integrate with the service provider API and follow your provider's “default” process, the process can be completed within a week, moving from sandbox environment testing to production.
Complex Integration: If your system setup is more complicated and you require a full customized technical integration with your enterprise system and the Access Point providers API, the project typically takes 2 to 4 weeks (and in complex cases, up to 6–12 weeks) to configure, implement, and fully test.
Yes. Most Peppol certified Access Point providers charge setup and usage fees, based on volume or subscription. Prices vary based on your requirements, SLA level and countries you want to cover.
Yes. Anyone who wants to send documents through the Peppol network must have Peppol certified Access Point. How to get one? Read our White Paper for a longer explanation.
Any organization that can meet the strict technical, security, and administrative requirements set by OpenPeppol and the relevant National Peppol Authority can become a certified Access Point (AP) provider.
Key Requirements include:
- OpenPeppol membership: Mandatory annual membership and fees.
- Security certification: Adherence to robust security standards, often requiring an ISO 27001 certification.
- Technical conformance: Passing rigorous testing with the OpenPeppol testbed to prove compliance with the AS4 transport protocol and Peppol standards.
- Legal Agreement: Signing the Peppol Service Provider Agreement with the relevant National Peppol Authority.
Read our White Paper for full story on setting up a Peppol Certified Access Point.
The Peppol network supports structured electronic documents in standardized Peppol BIS (Business Interoperability Specifications) formats, such as invoices, orders, and shipping notices, typically using UBL XML. See the full list of documents supported on the OpenPeppol website.
Setting up a Peppol Access Point requires:
- Implementing AS4 communication protocol
- Messages must be signed and encrypted using the Peppol PKI certificates and adhere to robust security standards.
- Validate and process documents using the standardized XML structure defined by the Peppol Business Interoperability Specifications (Peppol BIS).
- The AP must correctly interact with the central SML and SMP services to look up recipient details.
- Testing: The implementation must pass formal conformance tests using the OpenPeppol Testbed environment.
Read our White Paper for full story on setting up a Peppol Certified Access Point.
In fact, you do not directly register the Access Point (AP) with the Service Metadata Locator (SML).
Instead, the process involves two primary technical components, the Access Point (AP) and the Service Metadata Publisher (SMP), with the SMP being the entity that registers with the SML.
Peppol Access Points use the AS4 protocol for secure, reliable messaging. AS4 runs over HTTPS and supports message encryption, signing, and receipt confirmation for end-to-end integrity.
Becoming a certified Peppol Access Point (AP) provider is a complex, multi-step process that involves legal, administrative, security, and technical compliance, enforced by OpenPeppol and the relevant National Peppol Authority (NPA).
We have created a White Paper that details the requirements and compares the choice of hosting your own Access Point versus using a certified Peppol Access Point provider. Access here.
The decision to build your own Peppol Access Point (AP) versus using a Peppol certified Access Point provider (often referred to as "Access Point as-a-Service") depends entirely on your organization's size, technical expertise, budget, and strategic goals.
Using an Access Point as-a-Service provider is the faster, simpler, and far more cost-effective option. Building your own is only advisable for organisations that may have very special needs and are willing to continuously invest in building, updating and operating their own Access Point and or SMP.
Yes, you can send documents like orders and credit notes over the Peppol network, in addition to e-invoices. The Peppol network is designed to support the entire digital procure-to-pay cycle, not just invoicing.
The exchange of these documents is governed by the Peppol Business Interoperability Specifications (Peppol BIS), which define the standardized, machine-readable XML formats for each document type. See the full list of documents supported on the OpenPeppol website.
Sending e-invoices through the Peppol network is considered highly secure, more secure than sending invoices via email (like PDFs). Security is a core design feature of the controlled, authenticated, and encrypted digital Peppol network. governed by mandatory standards set by OpenPeppol.
The Peppol network is managed globally by OpenPeppol, a non-profit organization that sets the standards, oversees governance, and coordinates with national Peppol Authorities. Read more on OpenPeppol here.