Australian Accreditation Process for Peppol service providers

On this page

• Accreditation overview
• Prior to commencing accreditation
• Australian accreditation steps
• Mutual accreditation with New Zealand
• Accreditation annual review
• Peppol technical and policy documents
• Australia specific technical and guidance documentation

Accreditation overview

This page describes the process a Peppol service provider must complete to become an Australian accredited Peppol service provider and to be authorised to operate within Australia.

The ATO, in its role as the Australian Peppol Authority, sets the accreditation requirements in Australia that form part of the Australian Peppol Authority Specific Requirements.

The requirements of accreditation are in place to:

• protect the interests of end-users and other Peppol service providers
• ensure interoperability of the Peppol network and ability to send or receive valid A-NZ invoices
• mitigate against security risks to the network.

Prior to commencing accreditation

For Peppol service providers seeking accreditation for the first time, you will need to contact OpenPeppol – General Support to determine your home Peppol Authority whom you will be required to complete accreditation with first. Open Peppol charges an annual membership fee based on a calendar year; this is payable each year regardless of your accreditation status.

Before commencing accreditation, Peppol service providers should understand the technical, legal and policy framework of Peppol by reviewing the:

• Peppol technical and policy documents
• Australia specific technical and guidance documentation

If service providers have questions or would like a meeting to discuss the Peppol framework or accreditation steps, reach out to eInvoicing@ato.gov.au or through Online services for DSPs.

Australian accreditation steps

The Australian accreditation process applies to Peppol service providers:

• with Australia as their home Peppol Authority as determined by OpenPeppol
• with a home Peppol Authority that is not in Australia but is seeking to operate in Australia.

The accreditation steps include:

1. Submit an Expression of Interest
2. Legal agreements
3. Due Diligence checks
4. Information Security Questionnaire
5. Testing
6. Receive accreditation

The time required to complete this process is dependent on the readiness of the individual Peppol service provider seeking accreditation.

1. Submit an expression of interest

To initiate the accreditation process, submit an expression of interest (EOI) by:

• using the Online Services for DSP for ABN holders
• sending the completed EOI (DOCX, 57KB) to eInvoicing@ato.gov.au for non-ABN holders.

The EOI provides us with an overview of your company and solution. We will endeavour to respond to EOIs within 5 business days and offer an introductory meeting.

2. Legal agreements

The Peppol Service Provider Agreement is a legal agreement outlining the roles and responsibilities for you, as the Peppol service provider, and your Peppol Authority.

Australia is your home Peppol Authority

Provide a signed copy of the Peppol Service Provider Agreement to the Australian Peppol Authority. A countersigned copy will be returned once all other steps of accreditation have been completed.

Australia is not your home Peppol Authority

Provide a countersigned copy of the Peppol Service Provider Agreement returned from your home Peppol Authority.

3. Due Diligence checks

To protect the interests of end users and the other Peppol service providers operating in the network, we will use the information provided in the EOI to complete due diligence checks including:

• confirmation the entity providing the service is a registered business
• confirmation the entity providing the service is not insolvent
• confirmation the entity’s senior office holders are not banned, disqualified or bankrupt
• a criminal record check.

You must provide evidence of an enforceable professional indemnity insurance policy equivalent to at least A$1 million per occurrence. When procuring professional indemnity insurance, we recommend that the level of coverage is commensurate to your level of risk exposure and that you adjust to a higher level of insurance where applicable to ensure you can mitigate against the risk of claims extending to other eInvoicing network participants.

4. Information Security Questionnaire

All Peppol service providers are required to complete and submit the A-NZ eInvoicing Security Questionnaire.

The security control requirements include:

• self-assessment or independent audit against ISO/IEC 27001 or ASD/NZ ISM, which includes suitable evidence for the following controls
  • encryption key management
  • network segregation
  • audit logging
  • patch and vulnerability management program
  • information security awareness, education and training
  • physical and environmental security
  • operational procedures and responsibility
  • system acquisition, development and maintenance, including secure coding practices
  • system access control
  • personnel security
  • backup
• encryption at rest
• security monitoring practices
• encryption in transit (access points only)
• multifactor authentication (access points only).

For further information, refer to the A-NZ Information Security Guidance Note.

5. Testing

You are required to complete testing to verify your service offering conforms to Peppol specifications and additional local requirements. There are 3 steps of testing required to be completed sequentially:

1. Unit testing
2. Peppol acceptance testing
3. Interoperability testing

Note: Peppol service providers already accredited in another jurisdiction will only be required to complete interoperability testing.

Step 1: Unit testing

Complete unit testing in your own environment to verify that your service can send and receive Peppol BIS documents in line with the eDelivery documentation.

Obtain Test PKI Certificate

Obtain the test certificate via the OpenPeppol Jira Service Desk portal.

On the portal main page, select ‘PKI Certificate Request’ and choose ‘test’ at the certificate purpose option. Complete the remaining fields and include any attachments as requested such as company registration details.

Once OpenPeppol approves, you will have 10 days to download your test certificate. Certificates not downloaded during this timeframe will expire and you will need to raise a new service desk request to have the certificate reissued.

Step 2: Peppol acceptance testing – eDelivery Network compliance (AP only)

The Peppol acceptance tests are conducted in the OpenPeppol central test bed and formally tests your compliance with the Peppol eDelivery Network specifications. This test may be completed by you without OpenPeppol intervention, with the Test PKI Certificate acting as a log on to enter the central test bed from which the test may be executed.

Acceptance Testing involves:

• verification of your certificates (both the Peppol and TLS certificate)
• validating your ability to send/receive business documents to/from the Test AP
• generating acknowledgment of the documents sent.

The Peppol acceptance testing guide is here OpenPeppol Test and Onboarding (PDF, 1.6MB). For further information on the testing environment, refer to the eDelivery test suite environment description (PDF, 334KB).

Once completed, submit the test results via the OpenPeppol Jira Service Desk portal. On the portal main page, select ‘Test and Onboarding’ and complete the remaining fields. OpenPeppol will advise if the test results are accepted.

Step 3: Complete Interoperability testing

Interoperability testing must be completed to ensure you can send or receive a valid A-NZ invoice with an Australian or New Zealand accredited Peppol service provider. The test files and the interoperability testing document will be provided at the time of testing.

Peppol service providers should arrange interoperability testing with an Australian or New Zealand accredited Peppol service provider. Where you require help in engaging a Peppol service provider for this purpose we can assist you.

You will need to provide us with the interoperability test results.

6. Receive accreditation

All Peppol service providers

Once you have successfully completed all the steps of the accreditation process, we will confirm you are now accredited in Australia. We will also advise you of your annual review date request details to support:

• listing your solution on the eInvoicing accredited service providers page
• adding contacts for the service provider forum and monthly reporting
• mutual accreditation with New Zealand.

Australian Peppol service providers ONLY

We will return a countersigned copy of the Peppol service provider agreement.

You will need to obtain a production certificate to begin transacting in the Peppol network. The production certificate is obtained via the OpenPeppol Jira Service Desk portal. Select ‘PKI Certificate Request’, choose ‘production’ at the certificate purpose option and complete remaining fields.

Once OpenPeppol approves your certificate, you will have 10 days to download your certificate. Certificates not downloaded within this timeframe will expire and you will need to raise a new Service Desk request to have the certificate reissued.

Mutual accreditation with New Zealand

Through the Trans-Tasman single economic market agenda, the Australian and New Zealand governments announced a common approach to eInvoicing. With this common approach, the Australia and New Zealand Peppol Authorities have an aligned accreditation process that supports mutual accreditation of Peppol service providers between the two countries.

Once you are accredited in Australia, you can request mutual accreditation with New Zealand by directly contacting the New Zealand Peppol Authority at einvoicing@mbie.govt.nz.

Accreditation annual review

There will be an annual review of the accreditation status to ensure Peppol service providers continue to meet their obligations on an on-going basis. An annual review will include:

• due diligence checks completed by the Australian Peppol Authority
• provision of a current enforceable Professional Indemnity Insurance policy of at least A$1 million (or equivalent in other currency) per occurrence
• adherence to A-NZ eInvoicing security requirements, which includes
  • completion of section A of the A-NZ eInvoicing Security Questionnaire
  • reviewing your evidence to ensure it aligns to the current security requirements and is up to date, and submitting updated evidence where required
  • advising if there have been changes to your business or product environment.

Peppol technical and policy documents

• Peppol Interoperability Framework - OpenPeppol
• eDelivery Documentation - OpenPeppol
• Guidance for new providers
• Post Award documentation
• Pre Award Documentation
• Peppol Service Provider Agreement
• Peppol Internal Regulations
• Peppol operational procedures

Australian technical and guidance documentation

• Australian Peppol Authority Specific Requirements
• Peppol A-NZ guidance notes
• A-NZ-PEPPOL PEPPOL-BIS-3.0 specification
• A-NZ validation artefacts
• PINT A-NZ specifications

Contact us

For further information and to provide feedback, email eInvoicing@ato.gov.au.

See also

• eInvoicing
• Australian Peppol Authority