Established Peppol service provider accreditation process

A streamlined accreditation process has been put in place for established Peppol service providers that have already signed the Transport Infrastructure Agreement (TIA) in another jurisdiction.

If you are accredited with a Peppol Authority in another jurisdiction, you are classified as an established Peppol service provider. You can apply to be added to the register of accredited service providers on the ATO website.

The time required to complete this process is dependent on the readiness of the individual service provider seeking accreditation.

These steps do not necessarily need to be completed in sequence. Some steps can be actioned concurrently, but all steps must be finalised and verified by the ATO as the Australian Peppol Authority before you will be recognised as accredited in the Australian market.

Accreditation process

  1. Expression of interest
  2. Sign Annex 5
  3. Due diligence
  4. Complete the security questionnaire
  5. Interoperability testing
  6. Receive accreditation

1. Expression of interest

You will need to submit an expression of interest with the Peppol Authority.

The ATO operates the Australian Peppol Authority. Expressions of interest (EOI) should be submitted via the ATO Digital service provider (DSP) Portal. You can find out how to register and access the Portal from Online services for DSPs.

If you are not able to access the ATO DSP Portal because you are not eligible to register, you can submit an EOI email.

We will endeavour to respond to expressions of interest within two business days.

2. Sign Annex 5

Established Service Providers wishing to be accredited by the Australian Peppol Authority will need to sign the Australian Annex 5. Established Peppol Service Providers have already signed the TIA in another jurisdiction so are not required to also sign the Australian TIA. However, in order to be recognised as an accredited Access Point provider in Australia, you must sign the Australian Annex 5.

The purpose of Annex 5 is to outline the additional requirements and criteria that apply to Service providers operating in Australia.

3. Due diligence

To protect the interests of end-users and the other service providers operating in the network, we will provide you with a form to complete to conduct due diligence checks, including:

  • confirmation the entity providing the service is a registered business
  • confirmation the entity providing the service is not insolvent
  • confirmation the entity’s senior office holders are not banned, disqualified or bankrupt
  • criminal record check.

We recognise that these checks are dependent on the information available in the local jurisdiction of the service provider.

You must also confirm your intent to obtain an enforceable professional indemnity insurance policy of $10 million (or greater) per occurrence in the country’s currency. This helps ensure that you can mitigate against the risk of claims extending to other e-invoicing network participants. This insurance must be in place before live connection to the e-invoicing network.

Some of the information collected may need to be refreshed annually to keep the records up-to-date and ensure accreditation is maintained.

4. Complete the security questionnaire

We will require you to complete the security questionnaire to confirm the existence of appropriate security controls.

The security control requirements include:

  • Self-assessment or independent audit against ISO/IEC 27001 or ASD/NZ ISM. This includes suitable evidence for the following controls:
    • Encryption key management
    • Network segregation
    • Audit logging
    • Patch and vulnerability management program
    • Information security awareness, education and training
    • Physical and environmental security
    • Operational procedures and responsibility
    • System acquisition, development and maintenance – including secure coding practices
    • System access control
    • Personnel security
    • Backup
  • Encryption in transit (Access Points only)
  • Encryption at rest
  • Security monitoring practices
  • Multifactor authentication (Access Points only).

The evidence collected will need to be refreshed annually to keep the records up-to-date and ensure that accreditation is maintained.

5. Interoperability testing

We will facilitate an Interoperability Test with an existing Peppol AP provider to confirm that you are able to:

  • establish compatibility with another Australian Peppol AP, and
  • validate conformance with local BIS requirements (that is, validate the payload)

The specific use cases to be executed as part of the Interoperability Test are included in the Service Provider on-boarding pack.

Test scheduling

lead time of two weeks is generally required to allow us time to identify and engage a suitable partner (existing AP provider) with whom the Interoperability Test can be scheduled.

Test closure memo

Upon completion of the Interoperability Test you will need to provide evidence and confirm completion of testing with us.

6. Receive accreditation

We will confirm all required activities have been successfully completed and notify you that the accreditation process has been finalised.

We will also add you to E-invoicing accredited service providers list on the ATO website.

Specifications and associated guidance notes

Specifications and associated guidance notes for your implementation can be found on A-NZ Peppol GitHub.

Contact us

For further information and to provide feedback email e-invoicing@ato.gov.au

See also: