FAQs

Peppol is an international network that allows companies and public bodies to exchange electronic documents like invoices, orders, and catalogues in a standard and secure way. Think of it as a global mail system for business documents, where everyone follows the same rules so messages always arrive in the right format.

It works through three core pieces.

• Access Points handle sending and receiving documents on behalf of organisations.
• Standardized formats managed by OpenPeppol organisation ensures every document that enters the network follows shared standards.
• The Service Metadata Publisher (SMP) tells the network where a participant can be reached and which document types they support.

When you send a document through your Access Point, it uses the SMP to find the recipient’s details, delivers the message to their Access Point, and confirms it was sent correctly. No custom integrations, no manual processing, just reliable digital exchange across borders and systems.

Read more about Peppol

Short answer: Yes.

Either you can register with OpenPeppol and setup your own Access Point and SMP or use a Peppol certified Access Point provider such as Arratech. You can either use a white-labeled option where you maintain full ownership while your Access Point provider handles hosting, maintenance, and operations.

Alternatively you can use a Shared Access Point if you are looking to reduce Peppol membership fees and simplify local accreditation. Using a shared Access Point, your provider will register you in the Peppol network, giving your organization a unique Peppol Participant ID and publishing your details on a Service Metadata Publisher (SMP). This registration makes you visible and reachable to all other Peppol users globally.

Step 1: Become a Member of OpenPeppol

Step 2: Sign the Service Provider Agreement

Step 3: Configure Technical Infrastructure to Meet Peppol Standards

Step 4: Complete Conformance Testing via the Peppol Testbed

Step 5: Obtain the Production PKI Certificate and Go Live

Read a comprehensive explanation of these steps in our white paper.

Peppol is supported by a large and growing number of accounting, ERP, and specialized e-invoicing platforms globally.

Instead of integrating the Peppol network directly, most businesses use an Access Point service provider (such as Arratech), which operates the Access Point and/or SMP on behalf of the business. Dedicated e-invoicing infrastructure providers (e.g. Arratech) allows you to integrate your Access Point with your existing software via an API.

It depends. Many countries require Peppol-based e-invoicing, especially for business-to-government (B2G) transactions, but it is not uniformly mandatory across all countries or industries. For example, while one country may mandate Peppol for all suppliers to public bodies, another may only recommend it.

Check the specific regulatory requirements of your country and the countries you trade with, as compliance varies by jurisdiction. You can use a compliance resource like Pagero’s “Regulatory Atlas” to verify whether Peppol is mandatory or optional for the specific countries you are interested in.

You can get a Peppol identified (Participant ID) by registering with a Peppol certified Access Point provider. Your provider can create the participant ID for your organisation and publish it in the Peppol network so you can send and receive transactions in the network.

Yes you can, many accounting softwares and web-based invoicing tools use Peppol certified Access Point-as-a-service providers to integrate e-Invoicing directly into their solutions.

The time it takes depends on your chosen method, but it is generally a fast process if you integrate with a Peppol certified Access Point provider that meets your requirements.

Simple integration: If you integrate with the service provider API and follow your provider's “default” process, the process can be completed within a week, moving from sandbox environment testing to production.

Complex Integration: If your system setup is more complicated and you require a full customized technical integration with your enterprise system and the Access Point providers API, the project typically takes 2 to 4 weeks (and in complex cases, up to 6–12 weeks) to configure, implement, and fully test.

Yes. Most Peppol certified Access Point providers charge setup and usage fees, based on volume or subscription. Prices vary based on your requirements, SLA level and countries you want to cover.

Yes. Anyone who wants to send documents through the Peppol network must have Peppol certified Access Point. How to get one? Read our White Paper for a longer explanation.

Any organization that can meet the strict technical, security, and administrative requirements set by OpenPeppol and the relevant National Peppol Authority can become a certified Access Point (AP) provider.

Key Requirements include:

• OpenPeppol membership: Mandatory annual membership and fees.
• Security certification: Adherence to robust security standards, often requiring an ISO 27001 certification.
• Technical conformance: Passing rigorous testing with the OpenPeppol testbed to prove compliance with the AS4 transport protocol and Peppol standards.
• Legal Agreement: Signing the Peppol Service Provider Agreement with the relevant National Peppol Authority.

Read our White Paper for full story on setting up a Peppol Certified Access Point.

The Peppol network supports structured electronic documents in standardized Peppol BIS (Business Interoperability Specifications) formats, such as invoices, orders, and shipping notices, typically using UBL XML. See the full list of documents supported on the OpenPeppol website.

Setting up a Peppol Access Point requires:

• Implementing AS4 communication protocol
• Messages must be signed and encrypted using the Peppol PKI certificates and adhere to robust security standards.
• Validate and process documents using the standardized XML structure defined by the Peppol Business Interoperability Specifications (Peppol BIS).
• The AP must correctly interact with the central SML and SMP services to look up recipient details.
• Testing: The implementation must pass formal conformance tests using the OpenPeppol Testbed environment.

Read our White Paper for full story on setting up a Peppol Certified Access Point.

In fact, you do not directly register the Access Point (AP) with the Service Metadata Locator (SML).

Instead, the process involves two primary technical components, the Access Point (AP) and the Service Metadata Publisher (SMP), with the SMP being the entity that registers with the SML.

Peppol Access Points use the AS4 protocol for secure, reliable messaging. AS4 runs over HTTPS and supports message encryption, signing, and receipt confirmation for end-to-end integrity.

Becoming a certified Peppol Access Point (AP) provider is a complex, multi-step process that involves legal, administrative, security, and technical compliance, enforced by OpenPeppol and the relevant National Peppol Authority (NPA).

We have created a White Paper that details the requirements and compares the choice of hosting your own Access Point versus using a certified Peppol Access Point provider. Access here.

The decision to build your own Peppol Access Point (AP) versus using a Peppol certified Access Point provider (often referred to as "Access Point as-a-Service") depends entirely on your organization's size, technical expertise, budget, and strategic goals.

Using an Access Point as-a-Service provider is the faster, simpler, and far more cost-effective option. Building your own is only advisable for organisations that may have very special needs and are willing to continuously invest in building, updating and operating their own Access Point and or SMP.

Yes, you can send documents like orders and credit notes over the Peppol network, in addition to e-invoices. The Peppol network is designed to support the entire digital procure-to-pay cycle, not just invoicing.

The exchange of these documents is governed by the Peppol Business Interoperability Specifications (Peppol BIS), which define the standardized, machine-readable XML formats for each document type. See the full list of documents supported on the OpenPeppol website.

Sending e-invoices through the Peppol network is considered highly secure, more secure than sending invoices via email (like PDFs). Security is a core design feature of the controlled, authenticated, and encrypted digital Peppol network. governed by mandatory standards set by OpenPeppol.

The Peppol network is managed globally by OpenPeppol, a non-profit organization that sets the standards, oversees governance, and coordinates with national Peppol Authorities. Read more on OpenPeppol here.

A white-label access point allows you to integrate e-invoicing capabilities into your software under your own brand. This means your users interact solely with your platform, maintaining brand consistency and trust, while we handle the backend infrastructure and compliance requirements.

Our API is designed for seamless integration. You can start by creating a sandbox account to test functionalities. Once satisfied, you can move to production. We support both API Key and OAuth authentication methods, catering to various integration needs.

Yes, our access point is certified to operate in over 40 countries, ensuring compliance with networks like Peppol and DBNAlliance. This allows you to offer compliant e-invoicing services globally without the need for multiple integrations.

Absolutely. Our white-label solution enables you to acquire your own e-invoicing network certificates, such as Peppol and DBNAlliance, enhancing your credibility and allowing you to offer services under your own brand.

We provide comprehensive support throughout the integration process, including detailed documentation, quickstart guides, and direct assistance from our technical team. Post-integration, our support continues to ensure smooth operation and address any issues promptly.

Our API supports multiple e-invoicing formats, including UBL, XML, and JSON. We handle format conversions and ensure that invoices meet the specific requirements of various countries and networks, simplifying the process for your users.

Yes, we offer a free sandbox environment where you can test all functionalities of our API without any risk. This allows you to fully build and test your use case before moving to production.

We are ISO 27001 certified, and our servers are continuously monitored to ensure data security. Our solution complies with international data protection regulations, providing a secure environment for your e-invoicing operations. Read more on our Compliance and trust hub.

After successful testing in the sandbox environment, you can request to move production in our API or in the Arratech Connect portal. Once the contract is in place, your solution will be ready to go live.

We recommend our users to do roundtrip testing, sending from Corner 2 to Corner 3 to themselves all relevant document types, thereby validating the complete document flow in the Access Point.

If you are considering to build, deploy and host your own Peppol Access, you should make sure the open-source tool supports all the key requirements of a Peppol Access Point (as described in the official documentation).

For example:

• Support for the AS4 (or other Peppol‐transport) profile.
• Document validation
• Ability to send and receive messages (inbound + outbound) across the network.
• Compliance with the Peppol Business Interoperability Specifications (BIS) and document formats (UBL etc).
• Integration Service Metadata Publisher (SMP) lookup process.
• Certificate handling (signing/encryption)
• Error logging, auditability and service availability
• Maintenance and community / vendor support.

Here are some of the relevant open-source tools you might consider:

Note!

We have created a White Paper that details the requirements and compares the choice of hosting your own Access Point versus using a certified Peppol Access Point provider. Access here.

Operating a certified Peppol Access Point (AP) requires significant and ongoing maintenance to ensure network security, compliance with evolving standards, and high service availability. These obligations are legally binding under the Peppol Service Provider Agreement with your National Peppol Authority.

A summary of some the maintenance that Arratech takes care for our customers:

Technical

• Transport protocol updates (AS4)
• XML validation updates
• Certificate renewals
• SMP/SML integration
• Message storage + purge pipelines

Operational

• Monitoring & alerting
• Support & incident handling
• Load and performance tuning
• Uptime and failsafe mechanisms

Security

• Patching
• Vulnerability scanning
• GDPR compliance
• Key management

Compliance

• Reporting (TSR/EUSR)
• MLS message conformance
• Audit prep
• Standard updates

This substantial maintenance burden is the primary reason why most organizations choose to utilize a Peppol certfified Access Point provider (e.g. Arratech) rather than building and managing their own AP.

Participants in the Peppol Network are not connected directly to each other.

Instead, they exchange documents through their respective Access Points, using a standardized “four-corner” model. Learn more.

Arratech Connect Access Point-as-a-Service is designed from the ground up to support many customers securely and independently, all within the same high-availability infrastructure.

Every customer gets their own dedicated Access Point configuration, including:

• Their own Peppol identification (Participant ID)
• Their own unique Access Point URL
• Their own organisation space in our platform
• Their own user and permission setup

This ensures your traffic, data, and configuration are completely isolated from all other customers.

An SMP is a key component of the eDelivery framework, enabling automated lookup of participant capabilities within networks like Peppol. It tells the sender where and how to deliver electronic documents, making it essential for scalable and compliant e-invoicing and eProcurement.

Hosting your own SMP offers full control and branding, ideal for platforms integrating deeply with eDelivery. But it also comes with compliance, security, and uptime responsibilities. Our solution lets you deploy a white-label SMP under your brand, without the overhead of building or maintaining the infrastructure.

When a participant is registered in your SMP, the corresponding endpoint is published in the SML. The SML acts as a central address book, pointing to the correct SMP so senders can retrieve metadata and routing details dynamically.

Yes. Our SMP is fully compliant with Peppol specifications and supports automatic registration, certificate management, and participant updates through an easy-to-integrate API. It’s tested for interoperability and ready for production use in Peppol networks.

A white-label SMP lets you offer a branded eDelivery infrastructure to your customers, making you their single point of contact for both invoicing and routing services. This strengthens customer retention, adds value to your platform, and positions your service as a complete digital communication solution.

We store all data in certified, high-security data centers located within the EU to ensure compliance with GDPR and other local data sovereignty laws. For global operations, we offer region-specific storage options that align with jurisdictional requirements.

By default, we retain your data and logs for 30 days as usually this is fulfills our customers needs. However, retention periods can be configured to meet your specific legal, compliance, or customer needs.

All data is encrypted at rest and in transit using industry-standard protocols. Access is strictly role-based and logged, with audit trails available for compliance reporting. You remain in full control of your customers’ data while we ensure it’s protected against unauthorized access or breaches.

Our system automatically validates messages before sending. If errors occur—such as incorrect formats or unreachable endpoints—they’re flagged instantly, with detailed error codes and messages returned via the API. Failed transmissions can be retried manually or programmatically once the issue is resolved.

You get direct access to our technical support team via email and our support portal. We offer clear SLAs, prioritize production issues, and ensure fast turnaround on integration questions. For white-label partners, we also provide branded documentation and tiered support options to help you serve your own customers.

Yes. Our API provides real-time access to message statuses, delivery confirmations, and error logs. You can build dashboards or alerts around this data to proactively manage operations and reduce support overhead on your side.

The Five-Corner Model adds a fifth party—usually a tax authority or regulatory platform—to the traditional Four-Corner setup. It enables the transmission of business documents (like e-invoices) while also fulfilling real-time reporting requirements to the government.

Flow of the Five-Corner Model

1. Sender (Corner 1) – The business initiating an invoice or document.
2. Sender’s Access Point (Corner 2) – Validates and forwards the document.
3. Regulatory Gateway (Corner 3) – A platform, often run or certified by the government, that checks or clears the document (e.g., for VAT compliance).
4. Receiver’s Access Point (Corner 4) – Delivers the cleared document to the receiver.
5. Receiver (Corner 5) – The final recipient of the document (business or public entity).