Peppol Service Metadata Publisher Updates
Must do’s before the deadline
OpenPeppol, the organisation governing the Peppol network, the most widely used and e-invoicing network in the world, is rolling out two major changes that will make the network more secure:
- Mandatory HTTPS for all Service Metadata Publishers (SMPs).
- Migration from CNAME to NAPTR records for Service Metadata Locator (SML) lookups.
These updates from OpenPeppol are improvements that every business running a Peppol Access Point and SMP needs to understand and prepare for.
👉 Want to skip the migration headache? Talk to Arratech today and we’ll keep you compliant from day one.
Here is what you need to know
HTTPS for SMPs
From February 1, 2026, every Peppol SMP must run exclusively on HTTPS with TLS certificates from an approved CA (certificate authority).
- Moving to HTTPS in Peppol encrypts Corner 2 SMP lookup responses
SMP servers must use TLS from an approved Certificate Authority to operate on port 443. - Please note that the SMP PKI certificate issued by OpenPeppol cannot be used for this purpose as it is used solely for the interaction with the SML and for SMP lookup responses.
- Mandatory from Feb 1, 2026
- Migration possible from Nov 1, 2025
This change enhances security between C2 Access Point clients and SMPs when retrieving participant metadata
Migrating to HTTPS increases the integrity and security for for participant metadata retrieval, making the Peppol network more secure.
NAPTR Records Replace CNAME Lookups
The way Corner 2 Access Points discover participants are also changing. CNAME records in the SML are being deprecated in favor of NAPTR (U-NAPTR), a more advanced and resilient method that reduces the number of SML records which is desired as the network has grown rapidly over the last few years to approximately 2 million registered receivers.
Quick summary of NAPTR records update for Peppol
- Replace CNAME records for SML lookups
- Provide flexibility for future routing innovations
- Scales better as Peppol adoption grows
- Becomes mandatory from Feb 1, 2026
Transition timeline:
May 1 – Nov 1, 2025: Both lookup methods run in parallel.
Nov 1, 2025: NAPTR becomes the primary method.
Feb 1, 2026: CNAME is fully deprecated.
What does it mean for Peppol Access Point and Peppol SMP providers?
If you are operating and hosting a Peppol Access Point and/or SMP, you need to perform the updates according to the timelines stated above. This ensures you remain compliant and prevent interruptions to your service:
- Watch the webinar from OpenPeppol to learn more about the details and read this document.
- Migrate SMPs to HTTPS with TLS certificates from approved authorities.
- Update your systems to handle NAPTR-based lookups.
- Test thoroughly during the transition to avoid service disruptions.
Transition to HTTPS and NAPTR are mandatory
Don’t worry, we’ve got you.
At Arratech, we live and breathe Peppol. Instead of losing sleep over maintaining your Peppol service, migrate to Arratech and we will ensure compliance and uninterrupted service, 24/7. The 2026 deadline isn’t optional. The question is: will you scramble at the last minute, or be compliant from day one with Arratech?
👉 Talk to the Peppol experts today and stay ahead of the 2026 deadline.
The Smarter path through service metadata infrastructure migration
This migration represents a significant investment of time and resources. Without a managed solution, you’ll need to handle certificate renewals, DNS reconfiguration, SMP software updates, and compliance testing. Instead, migrate directly to Arratech’s Peppol Access Point and SMP solutions. We take care of all updates and guarantee uninterrupted connectivity to the Peppol Network. You could spend months planning, testing, and maintaining this migration — or simply hand it off to Arratech. Our HTTPS- and NAPTR-ready infrastructure keeps you compliant without the operational burden.
Get in touch today and learn how we can support you:
FAQs
The UK government has signalled that it will align with international standards and will most likely adapt to the Peppol Network, the same network already mandatory in Belgium, Germany, Australia, and Singapore and used in many other countries. Full technical specifications are still being finalised by HMRC, but the direction is clear: structured XML invoices exchanged via an approved network, consistent with the EN 16931 European standard. This is good news for vendors already connected to Peppol elsewhere. Slovakia, Belgium, and the UK are all expected to use the same underlying infrastructure model, meaning you can work with one Peppol Access Point infrastructure provider such as Arratech and cover all of them. Arratech monitors HMRC guidance continuously and will update customers as the UK framework is confirmed.
No and this is one of the strongest arguments for acting now. Peppol is a single network with country-specific configurations, not a collection of separate systems. Through working with an infrastructure provider such as Arratech, you can cover UK, Belgium, Germany, France, Slovakia, and many other mandate markets through one connection. The invoice format (EN 16931 XML) is the same European standard across all of them. The difference between countries is which Peppol Authority accredits providers, which syntax variants are accepted, what additional reporting obligations apply. Arratech's unified API handles this per-country complexity automatically, so your platform doesn't need a separate integration for each jurisdiction.
The demand from your customer does not correlate with the deadline of 2029, it's that your enterprise customers will start asking about what you are doing to stay compliant already in 2027, and procurement cycles for infrastructure changes run 12–24 months. The practical answer is almost always to partner with a dedicated experienced Peppol Access Point provider rather than build your own. Building and certifying your own Peppol AP takes 12+ months, requires ongoing OpenPeppol certification maintenance, and demands a dedicated compliance engineering function. Partnering gives you the certainty of being live well before deadline, compliance updates being handled by your partner and provides one simple connection for the increasing complexity as each country implements its own flavor of Peppol Network. The vendors who are ready in 2027 are the ones making the partnership decision in 2026.
Glossary
A Service Metadata Publisher (SMP) is a registry on the Peppol network that stores essential details about a business or organisation — such as which types of electronic documents (e-documents) it can receive (e.g., e-invoices, purchase orders) and how those documents sho
If your organisation wants to receive e-documents via Peppol, it must be registered in an SMP. Without this registration, other companies and government agencies cannot find the technical information they need to deliver documents to you.
The Service Metadata Locator (SML), the only central component in the Peppol eDelivery Network. It keeps track of where each participant’s Service Metadata Publisher (SMP) is located. When a sender wants to deliver an electronic document, their Access Point queries the SML to find the correct SMP address for the recipient. The SMP then provides the detailed technical information needed to send the document securely and correctly.
A DNS record type formerly used for SML lookups (pointing one domain name to another) that is being deprecated in this context.
A DNS record type that replaces CNAME in the new lookup method. It supports more advanced and flexible routing for metadata resolution.
More Stories
The Peppol network is often described as a “four-corner model”, but what does that actually mean in practice? This article breaks down the Peppol transport model in a simple way, showing how electronic invoices move securely from sender to receiver through trusted Access Points. Learn how the Peppol infrastructure enables reliable document exchange without complex one-to-one integrations, and why the model has become the foundation for modern e-invoicing across Europe and beyond.
EN 16931 is being updated ERP providers and software vendors in the Peppol network need to be ready.
The revised EU e-invoicing standard is expected mid-2026, bringing stricter validation rules, expanded data requirements, and new implications for Peppol and e-invoicing platforms. Read the blog to understand what’s changing and how to prepare.
The UK’s mandatory e-invoicing mandate starts on 1 April 2029, but software vendors need to prepare now. Businesses that invoice UK companies should assess Peppol readiness, Access Point and SMP infrastructure, and build-vs-buy options well ahead of compliance deadlines.
Ready for a simple connection to the future of e-Invoicing?
Join the next generation of e-Invoicing infrastructure from Arratech.
Cut costs, stay compliant, and integrate effortlessly.