Accreditation process for Australian Peppol service providers

On this page

Peppol Overview

The Peppol network is based on an open 4-corner model allowing the exchange of standardised messages, such as eInvoices. Access points connect users to the Peppol network – by connecting to one access point you connect to all.

Peppol is made up of 15 Peppol Authorities and 35 countries and is centrally managed through OpenPeppol. The ATO is the Australian Peppol Authority and is responsible for setting local requirements and managing participants of Peppol in Australia. Find out more about the Australian Peppol Authority.

The Peppol network is reliant on Peppol Service Providers to publish and find details about users such as their message delivery address and the types of messages they can receive. This allows electronic delivery of messages such as eInvoices through software to the correct recipient in the right way.

Accreditation overview

Accreditation is a process a Peppol Service Provider must complete to transact in the Peppol Network. OpenPeppol is responsible for determining which Peppol Authority you will need to complete accreditation with.

To determine this you will need to register with OpenPeppol. OpenPeppol charge an annual membership fee based on a calendar year regardless of your accreditation status - as such we recommend reading the steps to accreditation before initiating this step.

If you have already been accredited with a Peppol Authority in another jurisdiction but want to provide your services to an Australian business, you will need to adhere to the Peppol Authority specific requirements which are listed on Internationally accredited Peppol Service Provider.

To become an accredited Peppol Service provider it is essential to understand the Peppol environment and its structure.

Below is a brief overview of key Peppol resources:

If service providers have questions or would like a meeting to discuss the accreditation steps reach out to eInvoicing@ato.gov.au or through Online services for DSPs.

Steps to become an accredited Peppol Service Provider in Australia

The steps below will apply to Peppol Service Providers who have registered with OpenPeppol and have received advice to complete accreditation with the Australian Peppol Authority.

The time required to complete this process will vary and is dependent on the readiness of the individual Service Provider seeking accreditation.

The steps do not necessarily need to be completed in sequence, but all must be finalised and verified by the Australian Peppol Authority and OpenPeppol before a Service Provider is accredited to transact within the Peppol network.

  1. Submit expression of interest
  2. Legal agreements
  3. Due Diligence checks
  4. Complete A-NZ eInvoicing security questionnaire
  5. Test the service offering
  6. Receive accreditation
  7. Request Production Public Key Infrastructure (PKI) Certificate

1. Submit an expression of interest

To submit an expression of interest with the Australian Peppol Authority do this via ATO Digital service provider (DSP) Portal. You can find out how to register and access the Portal from Online services for DSPs.

If you are not able to access the ATO DSP Portal because you are not eligible to register, you can submit a request for the EOI via eInvoicing@ato.gov.au.

Once registered we will provide a Peppol Service Provider onboarding pack that includes additional information to complete the accreditation process.

We will endeavour to respond to expressions of interest within five business days.

2. Legal agreements

OpenPeppol and Peppol Authorities endorsed the Peppol Service Provider Agreement which came into effect from 1 July 2022 and replaced the prior Peppol agreements which include the Transport Infrastructure Agreement and associated annexes, Peppol AP & SMP agreements.

The Peppol Service Provider agreement sets out the roles and responsibilities of service providers and the ATO in its role as the Australian Peppol Authority and is publicly available on github at PeppolServiceProviderAgreement.

3. Due Diligence checks

To protect the interests of end-users and the other service providers operating in the network, we will use the information obtained to conduct several due diligence checks.

The due diligence checks include:

  • confirmation the entity providing the service is a registered business
  • confirmation the entity providing the service is not insolvent
  • confirmation the entity’s senior office holders are not banned, disqualified or bankrupt
  • criminal record check.

You must provide evidence of an enforceable professional indemnity insurance policy of at least $1 million AUD (or equivalent in other currency) per occurrence. We recommend that service providers ensure the level of coverage is commensurate to their level of risk exposure and adjust to a higher level of insurance where applicable. This helps ensure that you can mitigate against the risk of claims extending to other eInvoicing network participants. This insurance must be in place before live connection to the eInvoicing network.

4. Complete A-NZ eInvoicing security questionnaire

All service providers are required to complete and submit the A-NZ eInvoicing security questionnaire

The security control requirements include:

  • Self-assessment or independent audit against ISO/IEC 27001 or ASD/NZ ISM. This includes suitable evidence for the following controls:
    • Encryption key management
    • Network segregation
    • Audit logging
    • Patch and vulnerability management program
    • Information security awareness, education and training
    • Physical and environmental security
    • Operational procedures and responsibility
    • System acquisition, development and maintenance – including secure coding practices
    • System access control
    • Personnel security
    • Backup
  • Encryption at rest
  • Security monitoring practices.
  • Encryption in transit (Access Points only)
  • Multifactor authentication (Access Points only).

For further information you should refer to A-NZ Information Securioty guidance for eInvoicing Service Providers.

5. Test the service offering

To verify the service offering of the Peppol Service Provider conforms to Peppol specifications and the additional local requirements in Australia you are required to sequentially execute these steps.

Step 1: Complete Unit testing

Complete unit testing in your own environment to verify that your service can send and receive Peppol BIS documents in line with the Peppol eDelivery Network specifications.

Step 2: Obtain Test PKI Certificate

Obtain the test certificate via the OpenPeppol Jira Service Desk portal. On the portal main page select ‘PKI Certificate Request’ and complete the certificate request form. You will need to attach an up-to-date copy of your Peppol Service Provider agreement and company registration document as part of the request.

Outstanding membership fees will need to be paid to OpenPeppol before the request will be processed. OpenPeppol will then assign the certificate request to us for final approval.

Once approved you, the Service Provider, will have 10 days to download your test certificate. Certificates not downloaded within this timeframe will expire. If this occurs, you will need to raise a new Service Desk request to have the certificate renewed.

Step 3: Peppol acceptance testing – eDelivery Network compliance (AP only)

The Acceptance Test is conducted in the OpenPeppol central test bed and formally tests your compliance with Peppol eDelivery Network specifications. This test may be completed by you without OpenPeppol intervention, with the Test PKI Certificate acting as a logon to enter the central test bed from which the test may be executed. Acceptance Testing involves:

  • verification of your certificates (both the Peppol and TLS certificate)
  • validating your ability to send/receive business documents to/from the Test AP
  • generating acknowledgment of the documents sent.

Upon completion of the test, you must provide the results to OpenPeppol for verification. This can be done via the OpenPeppol Jira Service Desk portal. In the portal select ‘Test and Onboarding’. OpenPeppol will notify us when you have successfully completed Acceptance Testing.

Step 4: Complete Interoperability testing

Interoperability testing will be completed to ensure that you can send a Peppol invoice as per A-NZ Peppol BIS 3.0 specifications with an Australian or New Zealand accredited access point.

We can help facilitate an Interoperability Test with an existing Australian accredited access point or access point who has adhered to the Australian Peppol Authority specific requirements. A lead time of two weeks is generally required to allow us to identify and engage a suitable test partner with whom the Interoperability Test can be scheduled.

The specific use cases to be executed as part of the Interoperability Test will be provided at the time of testing.

Upon successful completion of Interoperability Testing, you will need to provide us with confirmation as per the guidelines provided in the testing document.

6. Receive accreditation

We will confirm all required activities have been successfully completed and confirm when your annual review will occur.

We will request additional information to add your solution to the list of eInvoicing accredited service providers on the ATO website.

7. Request Production Public Key Infrastructure (PKI) Certificate

Request the production certificate through the OpenPeppol Jira Service Desk portal. In the portal select ‘PKI Certificate Request’ and complete the certificate request form. You will need to attach an up-to-date copy of your Peppol Service Provider agreement and company registration document as part of the request.

Outstanding membership fees will need to be paid to OpenPeppol before the request will be processed. OpenPeppol will then assign the certificate request to us for final approval.

Once approved you, the Service Provider, will have 10 days to download the production certificate.  Certificates not downloaded within this timeframe will expire. If this occurs, the Service Provider will need to raise a new Service Desk request to have the certificate renewed.

Mutual accreditation with New Zealand

For Peppol Service Providers who are already accredited in New Zealand you can become mutually accredited with the Australian Peppol Authority. To initiate this process contact eInvoicing@ato.gov.au.

For access points who have completed all the steps of accreditation in Australia, they can request mutual accreditation with New Zealand by contacting einvoicing@mbie.govt.nz.

Accreditation Annual review

It is expected that all accredited Peppol Service Providers will meet the requirements of accreditation on an on-going basis. An annual review of accredited Peppol Service Providers will take place to provide this assurance and will include:

  • Due diligence checks completed by the Australian Peppol Authority.
  • Provision of a current enforceable Professional Indemnity Insurance policy of at least $1 million AUD (or equivalent in other currency) per occurrence.
  • Adherence to A-NZ eInvoicing security requirements which includes:
    • Completion of section A of the A-NZ eInvoicing Security Questionnaire.
    • Review your evidence to ensure it aligns to the current security requirements and is up to date. Submit updated evidence where required.
    • Advise if there have been changes to your business or product environment.

Specifications and associated guidance notes

The Peppol network uses standardised messages to enable automation. Jurisdictions can create extensions to the base eInvoicing specification (BIS Billing 3.0). Australia and New Zealand have worked together to create two extensions - the A-NZ invoicing extension and A-NZ self-billing extension.

To assist with invoice processing in Australian and New Zealand we recommend implementing industry best practice fields as per the A-NZ Invoice Practice Statement - Invoice Content.

Specifications and associated guidance notes for your implementation can be found on A-NZ Peppol GitHub.

Contact us

For further information and to provide feedback email eInvoicing@ato.gov.au

See also

Last modified date