Be ready for Central Electronic System of Payment information (CESOP) with these four tips

Can you guess what was the amount of Value-Added Tax (VAT) due but uncollected in 2021 by the European Union (EU) Member States’ tax authorities?

The ‘VAT compliance gap’ is the difference between the VAT total tax liability (VTTL) and what is actually collected by the Member States’ tax authorities. 

Now that you know the answer, you are probably thinking that that’s a lot of money. The European Commission (EC) couldn’t agree more and that’s why it developed, together with its Member States, new measures to monitor transactional data (and the related or non-related economic activities attached to it) to determine if there are any fraudulent VAT activities. 

 The Central Electronic System of Payment information (CESOP) regulations is one of such measures (Council Directive (EU) 2020/284 and Council Regulation (EU) 2020/283). CESOP is a European database that will enable the European Commission to collect, in a harmonised way, information about cross-border payments such as card payments, credit transfers, direct debits processed by payment service providers (PSPs).

In this blog, we walk you through the 4Ws (who, what, when and why) when it comes to CESOP reporting obligations, explain the challenges that PSPs face due to the new measures, and share some tips you should consider to ensure you are compliant when the time comes.

Don’t have time to read the whole blog entry? Then watch our “Blog in 1 minute” video for a quick summary of its main points:

The who, what, when and why of CESOP reporting

For most cross-border transactions, payments are executed through PSPs that hold specific payment information (inserted by the Payer) to identify the recipient (Payee). Such information is key for tax authorities to detect fraudulent business activities and improve VAT compliance.

Hence, from 1 January 2024, all PSPs offering payment services in the EU—and thus covered by the European Payment Services Directive 2, or PSD2—will be required to keep records of cross-border payment data in electronic registers, and to share these with the EU Member States’ tax authorities on a quarterly basis. This is either to their home country tax authorities or, in certain cases, to other tax authorities within the EU.

More precisely, PSPs will have to monitor the payees of cross-border payments and transmit information on those who receive more than 25 cross-border payments (whatever the type of in-scope payments) per quarter to the Member States’ administrations.

Tax authorities have ten days to send this information to CESOP, where it will be stored, aggregated and cross-checked with other European databases. All information in CESOP will then be made available to Member States’ anti-fraud officials via a network called Eurofisc. 

This will allow the latter to process and analyse the data in an effort to identify the payees such as suppliers and service providers that might not have fulfilled their VAT obligations properly. 

Deadlines to submit the reports will always be at the end of the month following the quarter. Thus, the first reporting’s deadline for PSPs is 30 April 2024 (covering payments in scope during first quarter of 2024), while for the second quarter is 31 July 2024. 

If you are wondering whichPSPs are subject to CESOP reporting obligations, these include credit institutions (including fully licensed banks), electronic money institutions, payment institutions and post-office giro institutions. So, are you in scope?

Which transactions are reportable?

Let’s get to the heart of the matter. Only the cross-border payments that originate from within the EU are potentially reportable. This means that domestic transactions (where the payer and the payee are located in the same EU Member State), as well as transactions originating from outside of the EU (for instance, where the payer is located in a third country) are out of scope. 

As mentioned before, the reporting obligation is only triggered when the same payee receives more than 25 payments per quarter. Thus, PSPs need to apply certain aggregation rules to determine whether the 25-payment threshold is exceeded.

Side note: The European Commission has established the 25-payment threshold as it considers this number an indication that an entity has a certain economic activity where it might have VAT obligations.


We understand that this can make your head spin. To make things clearer (hopefully), see below some fictional examples:

Example 1

Case: Three account holders of a Luxembourg PSP make respectively 5, 10 and 20 payments (credit transfers) to the same payee located in Switzerland in a given quarter. All three account holders are located in Luxembourg.

Analysis: Payments are extra-EU payments since the payers are located in the EU (Luxembourg) and the payee is located in a third country (Switzerland). The reporting obligation will therefore be on the PSP of the payers (Luxembourg PSP). To determine whether the 25-payment threshold is exceeded, the Luxembourg PSP will need to aggregate all payments made to the same payee. In this case, there are 35 payments in total made to the same payee (i.e. Switzerland), thus exceeding the 25-payment threshold. The Luxembourg PSP will therefore need to report the transactions.

Example 2

Case: An account holder of a Luxembourg PSP receives 50 payments (credit transfers) from payers located in France in a given quarter. 

Analysis: Payments are intra-EU payments since the payers are located in France and the payee is located in Luxembourg. The reporting obligation will therefore be on the PSP of the payee (Luxembourg PSP). To determine whether the 25-payment threshold is exceeded, the Luxembourg PSP will need to aggregate all payments made to the same payee. In this case, there are 50 payments in total made to the same payee (i.e. Luxembourg).  The Luxembourg PSP will therefore need to report the transactions.

What data PSPs need to report?

The XSD Schema contains over 70 data fields. Key data elements include: 


  • name 
  • VAT / TIN 
  • account ID
  • address 
  • PSP BIC / ID

Transactional information

  • Date / time
  • Amount
  • Currency
  • MS of origin
  • MS destination refund
  • Payer location information
  • Transaction ID
  • Refund flag
  • Physical premises flag
What happens when you don’t comply?

As this is a EU directive, it will be translated into Member States’ national law. This means that it’s up to each country to decide their penalties regime, which are expected to be effective, proportionate and dissuasive. 

Some countries will be more lenient, such as Germany, which will apply penalties of up to EUR 5,000 per quarter, while others will be stricter. That’s the case of the Netherlands, which will apply fines that can go up to EUR 915,000 per quarter. Luxembourg will be somewhere in the middle, with penalties between EUR 250 to EUR 10,000 per breach.

For late filing and refusal to proactively cooperate and disclose relevant information to the Luxembourg Indirect Tax Authorities, there’s a penalty of up to EUR 25,000 per day. 

What should payment services providers be worried about?

As mentioned before, PSPs need to report to tax authorities, which in some instances may mean tax authorities in other EU countries. This depends on where the payment services were offered or passported. For instance, if a PSP in Luxembourg offers payment services in Denmark, then it has to report to the Danish tax authorities.

Can you imagine what it might look like to have to potentially report to 27 EU Member States, each with its own reporting platform? As a PSP, this means you have to register, obtain login details and authenticate yourself to each tax authority’s platform where you provide payment services. 

And the plot thickens when we take into consideration that sometimes—perhaps most of the time—only the local language is available on these platforms. Thus, even if you are able to identify reported transactions to generate the electronic files (the XMLs), the very last step, which is submitting them, can be quite problematic. 

Indeed, this is the main challenge for PSPs: ensuring compliance with the CESOP regulations in all EU Member States while minimising the operational burden and the costs associated with it.

CESOP - Your challenges

The three technology options for PSPs

When it comes to reporting, technology is key. You need to have the right technology to extract the reportable transactions from your systems and convert them into the relevant XML files to be sent to the relevant tax authorities. 

In fact, slight deviations exist between Member States’ tax authorities such as maximum file sizes for transmission, naming conventions, header of the XML, additional data points to be inserted compared to EU XSD schema, among others. There are three options, each with their pros and cons.

1. Build your own reporting solution

With an in-house built solution, you have full control over it and it’s also advantageous in terms of costs compared to paying a third-party service provider.

The downside is, it goes without saying, that you will have to build the solution and ensure it’s aligned with the rules, and that isn’t always easy. You also need to keep in mind that you will need to maintain that solution year over year, which will require you to allocate resources as well as staying informed about new developments (for example, if there is a change in the reporting format in Sweden, you need to be aware to update your solution accordingly).

2. Acquire an already existing solution

Relying on an external software vendor can be a good option if you want to worry less about maintenance—as it’s built and maintained by the vendor—and compliance. However, such software usually needs to be deployed internally, meaning that it still requires some resources and training on your side, although not as much as a built in-house solution.  

Lastly, it requires paying fees (either to fully buy the solution or to subscribe to it), which can potentially become more expensive than building your own software.

3. Outsource to a service provider

From an operational angle, this is the easiest and less burdensome option for you as there is nothing to be installed or maintained. It’s also the option we can support you with. 

You just need to send us the transactions and we take care of the rest: we filter out non-reportable transactions, we apply CESOP business rules as well as integrity checks, we convert them into XML, and we file them on your behalf. There are some costs associated with this option as well.

Four tips to consider to be CESOP compliant
1. Understand the rules and make working assumptions.

Our first advice for you is to grasp the regulations as much as possible, which isn’t necessarily straightforward since, as of this writing, the Directive is still rather vague, yet complex too.

That doesn’t mean you (or any PSP) should put your CESOP implementation project on hold until the rules are crystal clear. On the contrary, we believe you should take working assumptions regarding the areas that aren’t fully unambiguous and validate them with your preferred tax advisor if needed.  

2. Choose the right technological solution.

As we explained before, technology is essential for reporting. You want to assess the three options we listed, and make a decision based on your needs. That being said, whatever you choose, it isn’t set in stone.

Whether you are unsure about the best choice of software or believe you don’t have enough time (as you might be a bit late in your implementation project), we recommend that you start off for the first couple of years, with the outsourcing option as it’s the quickest way to implement and be ready. Later on, you can consider switching to, for instance, in-sourcing.

3. No matter what option you choose, remember to file your reports.

Keep in mind that developing your own solution or buying the software will only cover the generation of the electronic files. This means you still need to file your reports to all EU Member States’ tax authorities to be compliant, a process that’s generally manual. 

As this can be a challenge, you should assess and define how you will manage the filing part. For instance, will you submit your files yourself or hire a service provider to take care of it?

4. Test, test and then test some more.

Make sure you have sufficient time to test your solution before the CESOP report is filed. This applies to all technological solutions, even outsourcing. So, test the data extraction process, the conversion to XML filing…well, basically, every step you take.


“The clock is ticking” is a rather cliché expression, but one that applies to the CESOP reporting. So does the adage, “time flies”. While it may seem that you still have plenty of time to gear up for this new EU-wide VAT transactional reporting obligation, our final piece of advice is to not postpone any longer and start preparing today.

Even though you can recognise that the CESOP regulations are much needed to combat VAT fraud, we understand they may seem like another burden to you. We aren’t going to lie, they are. But there are ways to lessen your load.

At PwC, we have a network of CESOP specialists who can provide filing assistance and bring their expertise to the table. Moreover, we provide comprehensive CESOP services that go beyond reporting, including data quality checks, report generation covering all 27 Member States, filing services, and post-filing activities such as assistance with tax authorities’ queries, corrective filings, and more.

Given the large data volumes involved with CESOP reporting, we have co-developed a highly efficient and reliable reporting engine with a leading software vendor that will make compliance easy for you. Among other features, it allows you to securely upload raw datasets, monitor the reporting process and visualise key metrics. 

To ensure confidentiality and the highest security standards of your transactional data, our Managed Services are operated by a fully regulated, ISO-27001-certified entity (PwC Regulated Solutions). Check out our CESOP web page to learn more.

What we think
Nenad Ilic

The CESOP regulations will enter into force soon, which is a very short timeframe even though it may not seem like it. Make sure all the steps of your implementation project are finalised and the reporting solution is tested before the first reporting deadline . You need to be compliant and the sooner, the better.

Nenad Ilic, Partner, Banking & Capital Markets Tax Leader, at PwC Luxembourg

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top