- Peppol Specific requirements in Australia
- Mutual acknowledgement with New Zealand
- Annual Review of Peppol Specific requirements
- Specifications and associated guidance notes
The steps below will apply to Peppol Service Providers who have been domiciled overseas by Open Peppol and met requirements of another Peppol Authority but want to provide access point services to an Australian business.
The Peppol Authority specific requirements that must be met aligns to the accreditation steps an Australian Peppol Service Provider must meet. The time required to complete this process will vary and is dependent on the readiness of the individual Service Provider seeking accreditation.
These steps do not necessarily need to be completed in sequence, but all must be finalised and verified by the Australian Peppol Authority before a service provider is able to transact with an Australian business through the Peppol Network.
- Submit an expression of interest
- Legal Agreements
- Due diligence
- Complete the A-Z eInvoicing security questionnaire
- Interoperability testing
- Receive acknowledgment of meeting the Peppol Authority Specific Requirement
If service providers have questions or would like a meeting to discuss the accreditation steps, reach out to eInvoicing@ato.gov.au.
To submit an expression of interest with the Australian Peppol Authority do this via ATO Digital service provider (DSP) Portal. You can find out how to register and access the Portal from Online services for DSPs.
If you are not able to access the ATO DSP Portal because you are not eligible to register, you can submit via eInvoicing@ato.gov.au.
We will endeavour to respond to expressions of interest within five business days.
The legal agreements set the minimum requirements to be applied throughout the entire Peppol eDelivery Network. OpenPeppol and Peppol Authorities have recently endorsed new agreements which come into effect from 1 July 2022. For internationally accredited Peppol service providers to adhere to the requirements of the Australian Peppol Authority the requirements will change depending on the below dates.
All legal agreements are publicly available at A-NZ Accreditation documents.
Accreditation prior to July 1, 2022
For internationally accredited Peppol service providers who are looking to become accredited or meet the Australian Peppol Authority Specific requirements prior to this date they will need to:
- Provide a copy of the signed Transport Infrastructure agreement, Peppol AP and SMP provider agreements.
- Sign the Australian Annex 5.
Accreditation post July 1, 2022
For Peppol service providers who are looking to become accredited post this date they will need to provide a copy of the signed Peppol Service Provider agreement.
To protect the interests of end-users and the other service providers operating in the network, we will provide you with a form to complete to conduct due diligence checks, including:
- confirmation the entity providing the service is a registered business
- confirmation the entity providing the service is not insolvent
- confirmation the entity’s senior office holders are not banned, disqualified or bankrupt
- criminal record check.
We recognise that these checks are dependent on the information available in the local jurisdiction of the service provider.
You must provide evidence of an enforceable professional indemnity insurance policy of at least $1 million AUD (or equivalent in other currency) per occurrence. We recommend that service providers ensure the level of coverage is commensurate to their level of risk exposure and adjust to a higher level of insurance where applicable. This helps ensure that you can mitigate against the risk of claims extending to other eInvoicing network participants. This insurance must be in place before live connection to the eInvoicing network.
We will require you to complete the A-NZ eInvoicing security questionnaire.
The security control requirements include:
- Self-assessment or independent audit against ISO/IEC 27001 or ASD/NZ ISM. This includes suitable evidence for the following controls:
- Encryption key management
- Network segregation
- Audit logging
- Patch and vulnerability management program
- Information security awareness, education and training
- Physical and environmental security
- Operational procedures and responsibility
- System acquisition, development and maintenance – including secure coding practices
- System access control
- Personnel security
- Encryption in transit (Access Points only).
- Encryption at rest.
- Security monitoring practices.
- Multifactor authentication (Access Points only).
We can help facilitate an Interoperability Test with an existing Australian accredited access point or access point who has adhered to the Australian Peppol Authority specific requirements. A lead time of two weeks is generally required to allow us to identify and engage a suitable test partner with whom the Interoperability Test can be scheduled.
The specific use cases to be executed as part of the Interoperability Test will be provided at the time of testing.
Upon successful completion of Interoperability Testing, you will need to provide us with confirmation as per the guidelines provided in the testing document.
We will confirm all required activities have been successfully completed and confirm when your annual review will occur.
We will also request additional information to add your solution to the list of Australian eInvoicing access point providers list on the ATO website.
For access points who have already met the Peppol Authority Specific requirements of New Zealand you can receive mutual acknowledgement with the Australian Peppol Authority. To initiate this process contact eInvoicing@ato.gov.au.
For access points who have completed all the steps in Australia, they can request mutual acknowledgement with New Zealand by contacting email@example.com.
It is expected that all accredited Peppol Service Providers will meet the requirements of accreditation on an on-going basis. An annual review of accredited Peppol Service Providers will take place to provide this assurance and will include:
- Due diligence checks completed by the Australian Peppol Authority.
- Provision of a current enforceable Professional Indemnity Insurance policy of at least $1 million AUD (or equivalent in other currency) per occurrence.
- Adherence to A-NZ eInvoicing security requirements which includes:
- Completion of section A of the A-NZ eInvoicing Security Questionnaire.
- Review your evidence to ensure it aligns to the current security requirements and is up to date. Submit updated evidence where required.
- Advise if there have been changes to your business or product environment.
To assist with invoice processing in Australian and New Zealand we recommend implementing industry best practice fields as per the A-NZ Invoice Practice Statement - Invoice Content.
Specifications and associated guidance notes for your implementation can be found on A-NZ Peppol GitHub.
For further information and to provide feedback email eInvoicing@ato.gov.au