FAQs

Peppol is an international network that allows companies and public bodies to exchange electronic documents like invoices, orders, and catalogues in a standard and secure way. Think of it as a global mail system for business documents, where everyone follows the same rules so messages always arrive in the right format.

It works through three core pieces.

• Access Points handle sending and receiving documents on behalf of organisations.
• Standardized formats managed by OpenPeppol organisation ensures every document that enters the network follows shared standards.
• The Service Metadata Publisher (SMP) tells the network where a participant can be reached and which document types they support.

When you send a document through your Access Point, it uses the SMP to find the recipient’s details, delivers the message to their Access Point, and confirms it was sent correctly. No custom integrations, no manual processing, just reliable digital exchange across borders and systems.

Read more about Peppol

Short answer: Yes.

Either you can register with OpenPeppol and setup your own Access Point and SMP or use a Peppol certified Access Point provider such as Arratech. You can either use a white-labeled option where you maintain full ownership while your Access Point provider handles hosting, maintenance, and operations.

Alternatively you can use a Shared Access Point if you are looking to reduce Peppol membership fees and simplify local accreditation. Using a shared Access Point, your provider will register you in the Peppol network, giving your organization a unique Peppol Participant ID and publishing your details on a Service Metadata Publisher (SMP). This registration makes you visible and reachable to all other Peppol users globally.

Step 1: Become a Member of OpenPeppol

Step 2: Sign the Service Provider Agreement

Step 3: Configure Technical Infrastructure to Meet Peppol Standards

Step 4: Complete Conformance Testing via the Peppol Testbed

Step 5: Obtain the Production PKI Certificate and Go Live

Read a comprehensive explanation of these steps in our white paper.

Peppol is supported by a large and growing number of accounting, ERP, and specialized e-invoicing platforms globally.

Instead of integrating the Peppol network directly, most businesses use an Access Point service provider (such as Arratech), which operates the Access Point and/or SMP on behalf of the business. Dedicated e-invoicing infrastructure providers (e.g. Arratech) allows you to integrate your Access Point with your existing software via an API.

It depends. Many countries require Peppol-based e-invoicing, especially for business-to-government (B2G) transactions, but it is not uniformly mandatory across all countries or industries. For example, while one country may mandate Peppol for all suppliers to public bodies, another may only recommend it.

Check the specific regulatory requirements of your country and the countries you trade with, as compliance varies by jurisdiction. You can use a compliance resource like Pagero’s “Regulatory Atlas” to verify whether Peppol is mandatory or optional for the specific countries you are interested in.

You can get a Peppol identified (Participant ID) by registering with a Peppol certified Access Point provider. Your provider can create the participant ID for your organisation and publish it in the Peppol network so you can send and receive transactions in the network.

Yes you can, many accounting softwares and web-based invoicing tools use Peppol certified Access Point-as-a-service providers to integrate e-Invoicing directly into their solutions.

The time it takes depends on your chosen method, but it is generally a fast process if you integrate with a Peppol certified Access Point provider that meets your requirements.

Simple integration: If you integrate with the service provider API and follow your provider's “default” process, the process can be completed within a week, moving from sandbox environment testing to production.

Complex Integration: If your system setup is more complicated and you require a full customized technical integration with your enterprise system and the Access Point providers API, the project typically takes 2 to 4 weeks (and in complex cases, up to 6–12 weeks) to configure, implement, and fully test.

Yes. Most Peppol certified Access Point providers charge setup and usage fees, based on volume or subscription. Prices vary based on your requirements, SLA level and countries you want to cover.

Yes. Anyone who wants to send documents through the Peppol network must have Peppol certified Access Point. How to get one? Read our White Paper for a longer explanation.

Any organization that can meet the strict technical, security, and administrative requirements set by OpenPeppol and the relevant National Peppol Authority can become a certified Access Point (AP) provider.

Key Requirements include:

• OpenPeppol membership: Mandatory annual membership and fees.
• Security certification: Adherence to robust security standards, often requiring an ISO 27001 certification.
• Technical conformance: Passing rigorous testing with the OpenPeppol testbed to prove compliance with the AS4 transport protocol and Peppol standards.
• Legal Agreement: Signing the Peppol Service Provider Agreement with the relevant National Peppol Authority.

Read our White Paper for full story on setting up a Peppol Certified Access Point.

The Peppol network supports structured electronic documents in standardized Peppol BIS (Business Interoperability Specifications) formats, such as invoices, orders, and shipping notices, typically using UBL XML. See the full list of documents supported on the OpenPeppol website.

Setting up a Peppol Access Point requires:

• Implementing AS4 communication protocol
• Messages must be signed and encrypted using the Peppol PKI certificates and adhere to robust security standards.
• Validate and process documents using the standardized XML structure defined by the Peppol Business Interoperability Specifications (Peppol BIS).
• The AP must correctly interact with the central SML and SMP services to look up recipient details.
• Testing: The implementation must pass formal conformance tests using the OpenPeppol Testbed environment.

Read our White Paper for full story on setting up a Peppol Certified Access Point.

In fact, you do not directly register the Access Point (AP) with the Service Metadata Locator (SML).

Instead, the process involves two primary technical components, the Access Point (AP) and the Service Metadata Publisher (SMP), with the SMP being the entity that registers with the SML.

Peppol Access Points use the AS4 protocol for secure, reliable messaging. AS4 runs over HTTPS and supports message encryption, signing, and receipt confirmation for end-to-end integrity.

Becoming a certified Peppol Access Point (AP) provider is a complex, multi-step process that involves legal, administrative, security, and technical compliance, enforced by OpenPeppol and the relevant National Peppol Authority (NPA).

We have created a White Paper that details the requirements and compares the choice of hosting your own Access Point versus using a certified Peppol Access Point provider. Access here.

The decision to build your own Peppol Access Point (AP) versus using a Peppol certified Access Point provider (often referred to as "Access Point as-a-Service") depends entirely on your organization's size, technical expertise, budget, and strategic goals.

Using an Access Point as-a-Service provider is the faster, simpler, and far more cost-effective option. Building your own is only advisable for organisations that may have very special needs and are willing to continuously invest in building, updating and operating their own Access Point and or SMP.

Yes, you can send documents like orders and credit notes over the Peppol network, in addition to e-invoices. The Peppol network is designed to support the entire digital procure-to-pay cycle, not just invoicing.

The exchange of these documents is governed by the Peppol Business Interoperability Specifications (Peppol BIS), which define the standardized, machine-readable XML formats for each document type. See the full list of documents supported on the OpenPeppol website.

Sending e-invoices through the Peppol network is considered highly secure, more secure than sending invoices via email (like PDFs). Security is a core design feature of the controlled, authenticated, and encrypted digital Peppol network. governed by mandatory standards set by OpenPeppol.

The Peppol network is managed globally by OpenPeppol, a non-profit organization that sets the standards, oversees governance, and coordinates with national Peppol Authorities. Read more on OpenPeppol here.

A white-label access point allows you to integrate e-invoicing capabilities into your software under your own brand. This means your users interact solely with your platform, maintaining brand consistency and trust, while we handle the backend infrastructure and compliance requirements.

Our API is designed for seamless integration. You can start by creating a sandbox account to test functionalities. Once satisfied, you can move to production. We support both API Key and OAuth authentication methods, catering to various integration needs.

Yes, our access point is certified to operate in over 40 countries, ensuring compliance with networks like Peppol and DBNAlliance. This allows you to offer compliant e-invoicing services globally without the need for multiple integrations.

Absolutely. Our white-label solution enables you to acquire your own e-invoicing network certificates, such as Peppol and DBNAlliance, enhancing your credibility and allowing you to offer services under your own brand.

We provide comprehensive support throughout the integration process, including detailed documentation, quickstart guides, and direct assistance from our technical team. Post-integration, our support continues to ensure smooth operation and address any issues promptly.

Our API supports multiple e-invoicing formats, including UBL, XML, and JSON. We handle format conversions and ensure that invoices meet the specific requirements of various countries and networks, simplifying the process for your users.

Yes, we offer a free sandbox environment where you can test all functionalities of our API without any risk. This allows you to fully build and test your use case before moving to production.

We are ISO 27001 certified, and our servers are continuously monitored to ensure data security. Our solution complies with international data protection regulations, providing a secure environment for your e-invoicing operations. Read more on our Compliance and trust hub.

After successful testing in the sandbox environment, you can request to move production in our API or in the Arratech Connect portal. Once the contract is in place, your solution will be ready to go live.

We recommend our users to do roundtrip testing, sending from Corner 2 to Corner 3 to themselves all relevant document types, thereby validating the complete document flow in the Access Point.

If you are considering to build, deploy and host your own Peppol Access, you should make sure the open-source tool supports all the key requirements of a Peppol Access Point (as described in the official documentation).

For example:

• Support for the AS4 (or other Peppol‐transport) profile.
• Document validation
• Ability to send and receive messages (inbound + outbound) across the network.
• Compliance with the Peppol Business Interoperability Specifications (BIS) and document formats (UBL etc).
• Integration Service Metadata Publisher (SMP) lookup process.
• Certificate handling (signing/encryption)
• Error logging, auditability and service availability
• Maintenance and community / vendor support.

Here are some of the relevant open-source tools you might consider:

Note!

We have created a White Paper that details the requirements and compares the choice of hosting your own Access Point versus using a certified Peppol Access Point provider. Access here.

Operating a certified Peppol Access Point (AP) requires significant and ongoing maintenance to ensure network security, compliance with evolving standards, and high service availability. These obligations are legally binding under the Peppol Service Provider Agreement with your National Peppol Authority.

A summary of some the maintenance that Arratech takes care for our customers:

Technical

• Transport protocol updates (AS4)
• XML validation updates
• Certificate renewals
• SMP/SML integration
• Message storage + purge pipelines

Operational

• Monitoring & alerting
• Support & incident handling
• Load and performance tuning
• Uptime and failsafe mechanisms

Security

• Patching
• Vulnerability scanning
• GDPR compliance
• Key management

Compliance

• Reporting (TSR/EUSR)
• MLS message conformance
• Audit prep
• Standard updates

This substantial maintenance burden is the primary reason why most organizations choose to utilize a Peppol certfified Access Point provider (e.g. Arratech) rather than building and managing their own AP.

Participants in the Peppol Network are not connected directly to each other.

Instead, they exchange documents through their respective Access Points, using a standardized “four-corner” model. Learn more.

Arratech Connect Access Point-as-a-Service is designed from the ground up to support many customers securely and independently, all within the same high-availability infrastructure.

Every customer gets their own dedicated Access Point configuration, including:

• Their own Peppol identification (Participant ID)
• Their own unique Access Point URL
• Their own organisation space in our platform
• Their own user and permission setup

This ensures your traffic, data, and configuration are completely isolated from all other customers.

An SMP is a key component of the eDelivery framework, enabling automated lookup of participant capabilities within networks like Peppol. It tells the sender where and how to deliver electronic documents, making it essential for scalable and compliant e-invoicing and eProcurement.

Hosting your own SMP offers full control and branding, ideal for platforms integrating deeply with eDelivery. But it also comes with compliance, security, and uptime responsibilities. Our solution lets you deploy a white-label SMP under your brand, without the overhead of building or maintaining the infrastructure.

When a participant is registered in your SMP, the corresponding endpoint is published in the SML. The SML acts as a central address book, pointing to the correct SMP so senders can retrieve metadata and routing details dynamically.

Yes. Our SMP is fully compliant with Peppol specifications and supports automatic registration, certificate management, and participant updates through an easy-to-integrate API. It’s tested for interoperability and ready for production use in Peppol networks.

A white-label SMP lets you offer a branded eDelivery infrastructure to your customers, making you their single point of contact for both invoicing and routing services. This strengthens customer retention, adds value to your platform, and positions your service as a complete digital communication solution.

Peppol’s infrastructure relies on a built-in addressing and discovery mechanism. This is not a single central directory, but a federated setup consisting of multiple address books, called Service Metadata Publishers (SMPs). Organisations that are able to receive electronic documents via Peppol are registered in one of these SMPs.

To determine in which SMP a specific organisation is registered, the only centralised component of the Peppol infrastructure is used, the Service Metadata Locator (SML). The SML functions as a pointer, using an organisation’s Peppol ID to enable discovery of where the metadata for that organisation is stored.

When a message is sent, Peppol access points use this SMP/SML mechanism to locate the recipient’s technical endpoint. Lookups can only be performed using a Peppol ID, not, for example, the organisation’s name. When searching via Arratech Lookup, the lookup is performed against this authoritative addressing infrastructure. While data quality ultimately depends on correct publication by the access point, this mechanism is the authoritative source for determining whether a Peppol ID is technically reachable and for which document types.

Peppol Directory is a separate service operated by OpenPeppol and is intended to make it easier to find parties by allowing searches, for example by organisation name. The content of Peppol Directory is populated by access point operators (service providers). In practice, most access point operators publish their recipients, but this is not mandatory. As a result, not all Peppol participants are guaranteed to appear in the Directory. There may also be a delay between an organisation being registered in Peppol and becoming searchable in the Peppol Directory.

This situation can be compared to mobile telephony. When you take out a subscription, you immediately become reachable so that others can call you. However, it may take some time before your phone number and name appear in digital phone books or similar services. In this comparison, the mobile network’s internal routing registers correspond to Peppol’s SMP/SML infrastructure, which is necessary to connect communications. Digital phone books correspond to Peppol Directory, where searches by name and similar attributes are possible.

Therefore, if a recipient does not appear in the Peppol Directory but does appear in Arratech Lookup, you can still be confident that the recipient is connected to Peppol and that it is possible to send electronic messages to that recipient.

We store all data in certified, high-security data centers located within the EU to ensure compliance with GDPR and other local data sovereignty laws. For global operations, we offer region-specific storage options that align with jurisdictional requirements.

By default, we retain your data and logs for 30 days as usually this is fulfills our customers needs. However, retention periods can be configured to meet your specific legal, compliance, or customer needs.

All data is encrypted at rest and in transit using industry-standard protocols. Access is strictly role-based and logged, with audit trails available for compliance reporting. You remain in full control of your customers’ data while we ensure it’s protected against unauthorized access or breaches.

Our system automatically validates messages before sending. If errors occur—such as incorrect formats or unreachable endpoints—they’re flagged instantly, with detailed error codes and messages returned via the API. Failed transmissions can be retried manually or programmatically once the issue is resolved.

You get direct access to our technical support team via email and our support portal. We offer clear SLAs, prioritize production issues, and ensure fast turnaround on integration questions. For white-label partners, we also provide branded documentation and tiered support options to help you serve your own customers.

Yes. Our API provides real-time access to message statuses, delivery confirmations, and error logs. You can build dashboards or alerts around this data to proactively manage operations and reduce support overhead on your side.

The UK government has signalled that it will align with international standards and will most likely adapt to the Peppol Network, the same network already mandatory in Belgium, Germany, Australia, and Singapore and used in many other countries. Full technical specifications are still being finalised by HMRC, but the direction is clear: structured XML invoices exchanged via an approved network, consistent with the EN 16931 European standard. This is good news for vendors already connected to Peppol elsewhere. Slovakia, Belgium, and the UK are all expected to use the same underlying infrastructure model, meaning you can work with one Peppol Access Point infrastructure provider such as Arratech and cover all of them. Arratech monitors HMRC guidance continuously and will update customers as the UK framework is confirmed.

No and this is one of the strongest arguments for acting now. Peppol is a single network with country-specific configurations, not a collection of separate systems. Through working with an infrastructure provider such as Arratech, you can cover UK, Belgium, Germany, France, Slovakia, and many other mandate markets through one connection. The invoice format (EN 16931 XML) is the same European standard across all of them. The difference between countries is which Peppol Authority accredits providers, which syntax variants are accepted, what additional reporting obligations apply. Arratech's unified API handles this per-country complexity automatically, so your platform doesn't need a separate integration for each jurisdiction.

The demand from your customer does not correlate with the deadline of 2029, it's that your enterprise customers will start asking about what you are doing to stay compliant already in 2027, and procurement cycles for infrastructure changes run 12–24 months. The practical answer is almost always to partner with a dedicated experienced Peppol Access Point provider rather than build your own. Building and certifying your own Peppol AP takes 12+ months, requires ongoing OpenPeppol certification maintenance, and demands a dedicated compliance engineering function. Partnering gives you the certainty of being live well before deadline, compliance updates being handled by your partner and provides one simple connection for the increasing complexity as each country implements its own flavor of Peppol Network. The vendors who are ready in 2027 are the ones making the partnership decision in 2026.

The EU's VAT in the Digital Age (ViDA) regulation was formally adopted in March 2025 and introduces mandatory Digital Reporting Requirements (DRR) for cross-border B2B transactions across all EU member states. Here is what businesses and software vendors need to know:

What ViDA DRR requires: Businesses must issue structured electronic invoices — in EN 16931 XML format (UBL 2.1 or CII syntax) — for all cross-border B2B transactions within the EU, and report transaction data to tax authorities in near-real time. PDF invoices will not be valid for in-scope transactions. The reporting obligation sits alongside, not instead of, existing domestic e-invoicing mandates.

The key deadlines:

• July 2030 Cross-border B2B digital reporting becomes mandatory across the EU
• July 2028 Platform economy VAT obligations and new registration rules take effect
• 2035 Domestic mandates expected to align with the common EU framework

What this means in practice: A business already compliant with Belgium's domestic Peppol mandate is not automatically compliant with ViDA DRR. The cross-border reporting layer is a separate obligation, requiring structured invoice exchange and near-real-time tax reporting for transactions with business customers in other EU member states.

What software vendors need to build: Platforms serving EU businesses need a Peppol-certified Access Point capable of handling both domestic mandates and the cross-border DRR reporting layer. The EN 16931 standard is being updated in mid-2026, vendors should build to the current standard and plan for an update cycle, or partner with an infrastructure provider who manages compliance updates automatically.

The practical risk right now: The technical explanatory notes for ViDA DRR are still being finalised (second draft published March 2026). Businesses that wait for complete guidance before acting will find themselves behind on a 12–24 month implementation timeline. The vendors and platforms best positioned for July 2030 are those making infrastructure decisions in 2026.

No, and this is the most common misconception in the market right now.

Domestic mandate ≠ ViDA DRR compliance: A Peppol Access Point that covers Belgium, Germany, or Slovakia handles structured invoice exchange within that country's specific framework. ViDA's Digital Reporting Requirements are a separate, additional obligation covering transactions between businesses in different EU member states. The two obligations overlap in infrastructure but are not the same requirement.

What your domestic setup does cover:

• Structured EN 16931 XML invoice generation
• Peppol network connectivity
• Domestic tax authority reporting (e.g. Corner 5 in Slovakia, Belgium's Mercurius platform)

What ViDA DRR adds on top:

• Cross-border transaction reporting to your home tax authority for all intra-EU B2B sales
• Near-real-time reporting obligations, not just invoice delivery
• A common EU-wide data set (still being finalised, second draft March 2026) that may differ from domestic reporting fields
• Obligations covering transactions where your customer is in a country where you have no domestic mandate today

The practical gap most businesses haven't mapped: A Belgian software vendor with a compliant domestic Peppol setup sells to a German, French, and Polish customer in the same week. The Belgian domestic mandate covers the Belgian invoicing side. ViDA DRR will require that all three cross-border transactions are reported in structured format, even though Germany, France, and Poland each have their own domestic systems. The reporting goes to the Belgian tax authority, not the customer's.

What to do now: Audit which of your transactions are cross-border B2B within the EU. That volume is your ViDA DRR exposure from July 2030. Infrastructure that handles both domestic mandates and the cross-border reporting layer through one unified API, rather than separate country integrations. is the lowest-risk path to covering both obligations.