Accreditation process for new Peppol service providers

On this page:

Accredited service providers

The Peppol network is based on an open 4-corner model allowing the exchange of standardised messages, such as e-invoices. Access points connect users to the Peppol network – by connecting to one access point you connect to all.

The Peppol network uses Service Metadata Publisher(SMP) providers to publish and find details about users such as their message delivery address (often the ABN in Australia) and the types of messages they can receive (Peppol supports multiple message types – not just e-invoicing). This allows Access Points to deliver messages such as e-invoices to the correct recipient in the right way.

The ATO is the Australian Peppol Authority and is responsible for setting local requirements and managing participants of Peppol in Australia. Find out more about the Australian Peppol Authority.

How to become a Peppol service provider

To become an accredited Peppol Access Point or SMP provider it is essential to understanding of the Peppol environment and its structure.

Below is a brief overview of key Peppol resources:

Once you have reviewed these resources and are ready to proceed, follow the below steps.

Steps to become Peppol e-invoicing accredited

If you have already been accredited with a Peppol Authority in another jurisdiction, you can follow our streamlined process.

The below steps outline the process a new Peppol Service Provider must complete to become accredited. The time required to complete this process will vary and is dependent on the readiness of the individual Service Provider seeking accreditation.

These steps do not necessarily need to be completed in sequence but all must be finalised and verified by us and OpenPeppol before a Service Provider is accredited to transact within the Peppol network.

  1. Join OpenPeppol
  2. Lodge Expression of interest
  3. Sign the Service Provider Transport Infrastructure Agreement
  4. Due diligence checks undertaken by Authority
  5. Complete security questionnaire
  6. Test the service offering
  7. Receive accreditation
  8. Request Production Public Key Infrastructure (PKI) Certificate

1. Join OpenPeppol

OpenPeppol membership is mandatory for all service providers who intend to offer AP and or SMP services within the Peppol network.

You can apply to become an OpenPeppol member at any time by contacting info@peppol.eu and completing the registration forms.

All members of OpenPeppol are required to pay an annual subscription fee to support the purposes and activities of the Association. The fee payable will depend on the Service Provider’s membership category – refer to the OpenPeppol website for further details.

It is strongly recommend that service providers engage with one of the OpenPeppol Coordinating Communities after joining OpenPeppol as a member. Participation in these communities will provide you with an opportunity to network with established Peppol members (across multiple countries and industries) and benefit from their experience.

2. Lodge expression of interest

A Service Provider interested in becoming accredited needs to submit an expression of interest with the Peppol Authority. 

The ATO operates the Australian Peppol Authority. Expressions of interest should be submitted to us via the ATO Digital Service Provider (DSP) Portal. You can find out how to register and access the Portal from Online services for DSPs.

We will endeavour to respond to expressions of interest within two business days. The response will include a Peppol Service Provider onboarding pack – a zip file that includes additional information you will need to complete the accreditation process.

3. Sign the Service Provider Transport Infrastructure Agreement

Following membership approval, you will need to sign the Transport Infrastructure Agreement (TIA) with us. There are separate agreements for AP providers and SMP providers.

You will also be given to opportunity to sign the New Zealand Annex 5 to be automatically recognised as an accredited Service Provider in both jurisdictions following the completion of this process.

The purpose of the TIA and the annexes is to define the general principles for the operation of the Peppol Transport Infrastructure and clarify the role and responsibilities of both you as Service Provider and us as the Peppol Authority.

The TIA sets the minimum requirements to be consistently applied throughout the entire Peppol eDelivery Network. The Annex 5 to the TIA contains the details of the additional requirements and criteria that apply to service providers operating in Australia.

4. Due Diligence checks undertaken by authority

To protect the interests of end-users and the other service providers operating in the network, we will use the information obtained in Annex 1 of the TIA to conduct a number of due diligence checks.

The due diligence checks include:

  • confirmation the entity providing the service is a registered business
  • confirmation the entity providing the service is not insolvent
  • confirmation the entity’s senior office holders are not banned, disqualified or bankrupt
  • criminal record check.

You must also confirm your intent to procure / provide evidence of an enforceable professional indemnity insurance policy of $10 million (or greater) per occurrence in the country’s currency. This helps ensure that you can mitigate against the risk of claims extending to other e-invoicing network participants. This insurance must be in place before live connection to the e-invoicing network.

Some of the information collected may need to be refreshed annually to keep the records up-to-date and accreditation is maintained.

5. Complete security questionnaire

All service providers are required to complete and submit a security questionnaire via the ATO DSP portal. The questionnaire requires evidence of the following:

  • Self-assessment or independent audit against ISO/IEC 27001 or ASD/NZ ISM. This includes suitable evidence for the following controls:
    • Encryption key management
    • Network segregation
    • Audit logging
    • Patch and vulnerability management program
    • Information security awareness, education and training
    • Physical and environmental security
    • Operational procedures and responsibility
    • System acquisition, development and maintenance – including secure coding practices
    • System access control
    • Personnel security
    • Backup
  • Encryption in transit (Access Points only)
  • Encryption at rest
  • Security monitoring practices
  • Multifactor authentication (Access Points only)

6. Test the service offering

To verify the AP/SMP service offering conforms to Peppol specifications (and the additional local requirements) you are required to execute testing as per the following requirements:

Unit testing (AP and SMP)

It is strongly recommended that you complete unit testing in your own environment to verify that your service is able to send and receive Peppol BIS documents in line with the Peppol eDelivery Network specifications.

Obtain Test PKI Certificate (AP only)

Before you can execute the next phase, Peppol Acceptance Testing, you will need to obtain a Test PKI Certificate. A test certificate is needed to access the Peppol central test bed and execute the Acceptance Test use cases.

The test certificate must be requested via the OpenPeppol Jira Service Desk portal. This portal is open to the public, meaning no login details are required to access it. On the portal main page select ‘PKI Certificate Request’ and complete the certificate request form. You will need to attach an up-to-date copy of the Annex 1 and company registration document as part of the PKI Certificate Request.

OpenPeppol will review the request for completeness and verify your membership status. If any membership fees are outstanding you will be asked to pay these before the request will be processed. OpenPeppol will then assign the certificate request to us for final approval.

Once approved, you, the Service Provider will have 10 days to download their test certificate. Certificates not downloaded within this timeframe will expire. If this occurs, you will need to raise a new Service Desk request to have the certificate renewed.

Peppol acceptance testing – eDelivery Network compliance (AP only)

The Acceptance Test is conducted in the OpenPeppol central test bed and formally tests your compliance with Peppol eDelivery Network specifications. This test may be completed by you without OpenPeppol intervention, with the Test PKI Certificate acting as a logon to enter the central test bed from which the test may be executed. Acceptance Testing involves:

  • verification of your certificates (both the Peppol and TLS certificate)
  • validating your ability to send/receive business documents to/from the Test AP
  • generating acknowledgment of the documents sent.

Upon completion of the test, you must provide their results to OpenPeppol for verification. OpenPeppol will notify us when you have successfully completed Acceptance Testing.

Interoperability testing (AP and SMP providers)

You can notify us when you are ready to complete interoperability via the ATO DSP Portal. The specific use cases to be executed as part of the Interoperability Test are outlined in the Service Provider onboarding pack.

We will facilitate an Interoperability Test with an existing Peppol AP provider.

Test scheduling

It is expected that you notify us of your intended test commencement date as soon as practicable following the successful completion of Peppol Acceptance Testing via the ATO DSP Portal.

A lead time of two weeks is generally required to allow us to identify and engage a suitable test partner (existing AP provider) with whom the Interoperability Test can be scheduled.

Test closure memo

Upon successful completion of Interoperability Testing you will need to provide us with confirmation.

7. Receive accreditation

We will confirm all required activities have been successfully completed and notify you that the accreditation process has been finalised.

We will also add you to E-invoicing accredited service providers list on the ATO website.

8. Request Production Public Key Infrastructure (PKI) Certificate

Once accredited, the final step for you is to request your Production PKI Certificate be issued by OpenPeppol. The Production PKI Certificate allows you to prove they are a trusted network participant and begin transacting within the Peppol network.

The production certificate can be requested via the OpenPeppol Jira Service Desk portal. In the portal select ‘PKI Certificate Request’ and complete the certificate request form. You will again need to attach an up-to-date copy of their Annex 1 and company registration document as part of their Production PKI Certificate Request.

OpenPeppol will review the request for completeness and re-verify your membership status. If any membership fees are outstanding, you will be required to pay these before the request will be processed. OpenPeppol will then assign the production certificate request to us for final approval.

Once approved, you will have 10 days to download the production certificate with OpenPeppol. Certificates not downloaded within this timeframe will expire. If this occurs, the Service Provider will need to raise a new Service Desk request to have the certificate renewed.

Specifications and associated guidance notes

The Peppol network uses standardised messages to enable automation. Jurisdictions can create extensions to the base e-invoicing specification (BIS Billing 3.0). Australia and New Zealand have worked together to create two extensions - the A-NZ invoicing extension and A-NZ self-billing extension.

Specifications and associated guidance notes for your implementation can be found on A-NZ Peppol GitHub.

Contact us

For further information and to provide feedback email e-invoicing@ato.gov.au

See also: