New PEPPOL Standards: Mandatory ISO Certification for All Access Points

PEPPOL requires that Access Point Providers have ISO 27001 certification - an information security standard that ensures the confidentiality, integrity, and availability of data.

PEPPOL is a global network that facilitates cross-border exchange of electronic documents. The PEPPOL network is so highly regarded that many countries are implementing e-invoicing mandates based on the PEPPOL infrastructure. This makes PEPPOL connectivity crucial for businesses in many countries.

However, everyone needs an Access Point to connect to the PEPPOL network. Interestingly, to ensure Access Points provide quality service, PEPPOL expects them to meet certain requirements. One of those service-level requirements is mandatory ISO certification.

What does the mandatory ISO certification for PEPPOL Access Points mean? This article will answer this question, including how to become an Access Point.

Overview of PEPPOL Access Point

A PEPPOL Access Point is the PEPPOL gateway. It is a private company that connects people to the PEPPOL network.

Know that PEPPOL does not allow individuals or businesses to connect directly to the network. Instead, it operates using the four-corner model, where people must connect to an Access Point provider, who then connects them to the network.

The best example of the PEPPOL four-corner model is the telecommunication model.

To use the telecommunication network, you need to connect to a telecom service provider. This provider issues you a phone number, which becomes your unique identifier in the network.

When sending a message (text) to anyone on a telecom network, the text moves from your station to your telecom provider.

Your telecom provider then forwards the message through the network to the telecom provider of your recipient. Lastly, the recipient’s telecom provider sends the message to them.

In a similar fashion, you need to connect to a PEPPOL Access Point provider to send electronic documents through the PEPPOL network. The Access Point provides you with a PEPPOL ID, which becomes your unique identifier on the network.

When sending an electronic invoice via the PEPPOL network, it goes from your station to your Access Point provider. This entity ensures the document meets relevant standards and then forwards it to the Access Point provider of your recipient, who then sends it to the recipient.

Following the “connect one, connect all” principle, once you connect to an Access Point provider, you can reach anyone connected to the PEPPOL network.

To learn more, read: What is a PEPPOL Access Point?

What is ISO certification?

ISO certification is a credential that attests that an organization has fulfilled the requirements for quality process standards as defined by the ISO (International Organization for Standards).

The International Organization for Standards (ISO) is an independent, non-governmental organization that develops standards/ specifications to ensure the quality, efficiency, and safety of products, services, and systems.

That is, the ISO standards exist to ensure the quality, reliability, and safety of the products and services we use every day. The organization only certifies products, services, and systems that meet its high standards for efficiency, quality, and safety.

Thus, the ISO certification is a badge showing that a product or service is of high quality, reliable, and safe.

Understanding PEPPOL Mandatory ISO Certification for All Access Points

PEPPOL requires that every entity that wants to serve as an Access Point Provider to the PEPPOL network have ISO 27001 certification.

ISO 27001 is one of the main standards developed by the International Organization for Standards. It defines the requirements an Information Security Management System (ISMS) must meet to be considered safe and reliable.

ISO 27001 is the most recognized standard for information security worldwide. The standard is jointly published by the International Organization for Standards (ISO) and the International Electrotechnical Commission (IEC). So, it is also called SO/IEC 27001.

Having the ISO 27001 certification means that an organization follows the best practices and principles relating to securing the data it owns or handles. Some Access Point Providers like Storecove are ISO 27001 certified, guaranteeing the security of your data.

In today’s world, cybercrime is on the rise, and new threats keep emerging. As a result, businesses and government organizations are now more concerned about how their information is handled and stored by third parties.

Before dealing with parties, businesses want some assurance that their information will be safe.

The ISO 27001 certification provides this assurance! The ISO 27001 certification offers three assurances:

Confidentiality of information

When an organization’s information security management system follows the ISO 27001 standard, the system can ensure that only the right people can access information handled and stored by the organization.

So, when dealing with the organization, you can be sure your sensitive information is safe because it cannot be intercepted by hackers and other criminals.

Integrity of information

When an organization’s ISMS is implemented following the ISO 27001 standard, the system will store data reliably. This means that data will remain accurate and consistent over its entire lifecycle in the system and cannot be damaged or erased.

Availability of information

When an organization’s information security system follows the ISO 27001 standard, the organization and its clients can access the information whenever they want to.

So, when dealing with the organization, you can be sure that your information will be available whenever you need it for business purposes. For example, you won’t have to hold off submitting a business document because you cannot reach your Access Point provider due to server problems.

How to Become a PEPPOL Access Point

To send e-invoices and other electronic business documents via the PEPPOL network, you need an Access Point. The easiest way to do this is to connect to an Access Point provider.

However, you can become an access point yourself and then give yourself access to the PEPPOL network. Know that this is a more challenging approach as you’d have to invest heavily to set up and maintain the PEPPOL infrastructure.

That said, the steps for becoming an Access Point provider yourself are as follows:

Become an OpenPEPPOL member

OpenPEPPOL membership is required to become a PEPPOL Access Point provider. Contact for the registration form. Complete and sign the form, scan it, and email a PDF version to

OpenPEPPOL will review your application as soon as possible and notify you of their decision. If your application is approved, your organization will be included on the online list of OpenPEPPOL members.

Sign the PEPPOL Transport Infrastructure Agreement

The TIA sets the minimum requirements that must be followed throughout the PEPPOL eDelivery Network, outlining the requirements of parties in the PEPPOL transport infrastructure (including PEPPOL Authorities, PEPPOL Access Point providers, and PEPPOL Service Metadata Publishers).

Signing the agreement is an acknowledgment that you understand the operation and principles of the PEPPOL transport infrastructure and the roles and responsibilities of PEPPOL Access Point providers.

You can get the PEPPOL Transport Infrastructure Agreement from any PEPPOL Authority. So, after becoming an OpenPEPPOL member, request the TIA from a PEPPOL Authority (preferably your national PEPPOL Authority).

Sign the PEPPOL Transport Infrastructure Agreement and return it to the PEPPOL Authority.

Submit your company registration document for due diligence check

When submitting the TIA package, you must also add a copy of your company registration document for PEPPOL’s due diligence checks.

PEPPOL will review your company registration documents to verify that your company is legitimate and solvent. It’ll also run criminal checks to know whether your company has engaged in any criminality or illegality in the past.

If the review is successful, you’ll gain access to a site to generate test certificates from the PEPPOL Certification Authority.

Implement the PEPPOL technical specification

Once you’ve signed all agreements, implement your access point. You can do this by building your own implementation from scratch or using open-source software.

You must comply with the specifications in the OpenPEPPOL Mitigation Policy, including supporting the appropriate communication protocol and implementing one or more PEPPOL BIS.

Carry out testing

After implementing your Access Point, you need to test your setup to demonstrate technical and security competency.

Contact the PEPPOL Authority you are registering with to request the test. The test will verify your Access Point certificates, both the HTTP certificate used to enable HTTP communication and the PEPPOL certificate used to sign the document.

Testing usually involves sending an electronic document through the newly-created Access Point, with the PEPPOL Authority as the recipient, and sending another backward from the PEPPOL Authority to you.

Complete Self-Conformance and request a PKI Certificate

After testing your Access Point setup, complete the Testing Results template and send it to your PEPPOL Authority for review.

If the review is successful, you can contact the PEPPOL Authority to request your Production Public Key Infrastructure (PKI) Certificate. Your PKI certificate proves that you are a trusted participant in the PEPPOL network.

Takeaway: Meet PEPPOL service-level requirements for access points

Businesses that need to connect to the PEPPOL network to send business documents need an Access Point.

You can follow the steps above to become a PEPPOL Access Point provider and give yourself access to the PEPPOL network.

However, setting up and maintaining the necessary PEPPOL infrastructure is cumbersome. So, the easiest way to get access to the PEPPOL network is to connect via an Access Point provider.

Storecove is a trusted Access Point provider that helps businesses connect to the PEPPOL network. With PEPPOL, you can send and receive e-invoices and other electronic documents without worrying about the different formats in different regions.

You simply provide the document, and our API will automatically ensure the document is compliant with the legislation in the recipient’s region and safely send it to them.

Storecove meets every PEPPOL service-level requirement for Access Points providers, including the mandatory ISO certification.

As an ISO27001-certified PEPPOL Access Point provider, we follow the best practices and principles outlined in the ISO27001 standards to preserve the confidentiality, integrity, and availability of your information.

Ready to start sending compliant e-invoices safely via PEPPOL? Contact us and learn how we can help you become e-invoicing compliant in over 50 countries.

More information about New PEPPOL Standards?

Contact us for more information or schedule a consult with one of our e-invoicing experts.

Read also:


Subscribe to our Newsletter

* indicates required