COMMISSION IMPLEMENTING REGULATION (EU) 2022/1504
of 6 April 2022
laying down detailed rules for the application of Council Regulation (EU) No 904/2010 as regards the creation of a central electronic system of payment information (CESOP) to combat VAT fraud
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Council Regulation (EU) No 904/2010 of 7 October 2010 on administrative cooperation and combating fraud in the field of value added tax (1), and in particular Article 24e thereof,
Whereas:
(1) Council Directive 2006/112/EC (2), as amended by Directive (EU) 2020/284 (3), introduces reporting obligations for payment service providers from 1 January 2024. From then on, payment service providers who are established or provide payment services in the European Union are to keep certain records of cross-border payments originating from payers within Member States and certain information of the payees, and transmit those records to the Member States for the fight against value added tax (VAT) fraud.
(2) Pursuant to Regulation (EU) No 904/2010, as amended by Regulation (EU) 2020/283 (4), Member States are to transmit those records to a central electronic system of payment information (‘CESOP’), which is to be developed, maintained, hosted and technically managed by the Commission.
(3) To ensure the proper functioning of CESOP, and pursuant to Article 24e, point (a), of Regulation (EU) No 904/2010, it is necessary to adopt the technical measures for establishing CESOP. Those measures should provide for the necessary CESOP functionalities for the development of CESOP’s capabilities as described in Article 24c of Regulation (EU) No 904/2010. The measures should also ensure a high level of user-friendliness by providing search and visualisation tools in CESOP. In addition, CESOP should facilitate exchanges of information between Eurofisc liaison officials by allowing them to quickly and securely exchange information on VAT fraud directly in CESOP. The measures that the Commission should take to maintain CESOP after it becomes operational should also be laid down in order to ensure the operational quality standards of CESOP’s IT infrastructure and its functionalities, and that the required updates are made when needed to handle the system’s incidents between the Commission and Member States.
(4) While Member States, as controllers of CESOP, are responsible for its management, the Commission has a series of responsibilities limited to the technical management of CESOP as its host and processor, pursuant to Article 24e, point (b), of Regulation (EU) No 904/2010. These should include the technical tasks necessary for the daily administration of CESOP such as keeping records of the Eurofisc liaison official accessing CESOP, keeping records of the payment service providers which transmitted data to Member States, establishing appropriate organisational security measures for CESOP, as well as providing the necessary training and support for Eurofisc liaison officials to use CESOP effectively.
(5) Pursuant to Article 24b(1), point (b), of Regulation (EU) No 904/2010, Member States are to send data to CESOP in a common format. The data elements to be reported by payment service providers in the format of an XML document should be set out. In order to ensure the overall operability between national electronic systems and CESOP pursuant to Article 24b(3) of Regulation (EU) No 904/2010, Member States should check that the data transmitted by payment service providers includes the compulsory and syntactically correct data elements pursuant to Article 243d of Directive 2006/112/EC, as CESOP can only operate if the mandatory data is correctly logged into CESOP.
(6) Member States should designate the Eurofisc liaison officials who will have access to CESOP and inform the Commission of their decision. In that regard, the Commission should provide those officials with a unique identifier to access CESOP and maintain a list of all Eurofisc liaison officials who have access to CESOP based on the information received from Member States.
(7) Pursuant to Article 24e, point (g), of Regulation (EU) No 904/2010, the Commission is to establish procedures to ensure that appropriate technical and organisational security measures for the development and operation of CESOP are in place. Several security aspects of CESOP’s central components of also depend on the implementation of national security measures, such as measures to control the safety of the data transmitted and measures to ensure that only the Eurofisc liaison official with a valid unique identifier may access CESOP. Therefore, Member States should provide the Commission with information on their own security measures. The Member States and the Commission should keep each other informed of the security measures taken and of the need of any upgrade to those measures.
(8) The processing of personal data under this Regulation as well as the responsibilities of Member States and the Commission is subject to the rules laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council (5) and in Regulation (EU) 2018/1725 of the European Parliament and of the Council (6). Pursuant to Article 24e, point (h), of Regulation (EU) No 904/2010, the roles and responsibilities of Member States and the Commission regarding controllership of CESOP should be laid down. Member States should jointly be considered as controllers of CESOP as they decide on the means of processing and use of the data in CESOP. The Commission should be considered as processor as it acts on behalf of Member States in performing all its tasks.
(9) This Regulation should only apply from 1 January 2024 in order to align it with the application of Regulation (EU) 2020/283 and Directive (EU) 2020/284.
(10) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 2 February 2022.
(11) The measures provided for in this Regulation are in accordance with the opinion of the Standing Committee on Administrative Cooperation,
HAS ADOPTED THIS REGULATION:
Article 1
Technical measures for establishing and maintaining CESOP
1. The Commission shall develop technical measures for the establishment of CESOP with the following functionalities:
(a) receiving payment data transmitted by Member States;
(b) storing the payment data securely for a maximum period of 5 years from the end of the calendar year in which the Member States transmitted the information to it;
(c) cleansing the payment data of anomalies and mistakes, including duplications of the same payment;
(d) aggregating the payment data in relation to each payee;
(e) allowing searches and visualisation of the payment data in CESOP;
(f) analysing and performing crosschecks of the payment data with the data stored and exchanged in accordance with Article 17(1), points (a), (b), (d), (e) and (f), and Article 33(2), point (b), of Regulation (EU) No 904/2010:
(g) performing automatic analytics and flag suspicious payees;
(h) allowing Eurofisc liaison officials to perform non-automatic controls and analysis;
(i) generating reports on the results of the analysis and controls performed by CESOP and the Eurofisc liaison officials;
(j) providing user access control management infrastructure for the Eurofisc liaison officials;
(k) allowing Eurofisc liaison officials to exchange information relating to cross-border VAT fraud investigation and detection directly in CESOP;
(l) providing the technical infrastructure for Member States to manage access rights for their Eurofisc liaison officials.
2. The Commission shall perform the following tasks for maintaining CESOP:
(a) ensuring that CESOP and its functionalities are operational;
(b) performing maintenance outside working hours;
(c) providing the necessary technical updates for the proper functioning and improvement of CESOP;
(d) handling technical problems.
Article 2
Tasks of the Commission for technically managing CESOP
The Commission shall perform the following tasks to technically manage CESOP:
(a) retaining and updating the list of Eurofisc liaison officials who have access to CESOP and their unique personal user identification in accordance with Article 5;
(b) implementing the organisational and technical security measures referred to in Article 6;
(c) establishing, keeping and maintaining a list of payment service providers who reported data pursuant to Article 24b(1) of Regulation (EU) No 904/2010, according to the data provided by Member States;
(d) giving Eurofisc liaison officials who have access to CESOP automated access to the list maintained pursuant to point (c);
(e) providing technical assistance to Eurofisc liaison officials when using CESOP;
(f) providing training to Eurofisc liaison officials regarding the use of CESOP.
Article 3
Connection and overall interoperability between CESOP and national electronic systems
1. Member States shall take all the necessary measures to ensure that the national electronic systems for the collection of payment information set up pursuant to Article 24b(2) of Regulation (EU) No 904/2010 are functional and able to collect the payment information pursuant to Article 24b(1) of that Regulation.
2. Member States shall transmit to CESOP only the payment information that is complete with all the mandatory fields pursuant to Article 243d of Directive 2006/112/EC and is in line with the requirements laid down in the Annex to this Regulation.
3. The Commission shall ensure the interoperability between CESOP and the national electronic systems referred to in paragraph 1.
Article 4
Standard electronic form
The electronic standard form referred to in Article 24b(1), point (b), of Regulation (EU) No 904/2010, shall be submitted in a standardised XML format in accordance with the data table in the Annex to this Regulation.
Article 5
Practical arrangements regarding Eurofisc liaison officials who will have access to CESOP
1. Member States shall designate the Eurofisc liaison officials who will have access to CESOP and communicate their names and email addresses to the Commission.
2. Member States shall inform the Commission of any changes in the information provided under paragraph 1, including changes in the designated Eurofisc liaison officials, in a timely manner and no later than 30 calendar days after the change occurred.
3. The Commission shall immediately provide the Eurofisc liaison officials referred to in paragraph 1 with a unique personal user identification to access CESOP.
Article 6
Procedures for the technical and organisational security measures for the development and operation of CESOP
1. The Member States shall provide the Commission with information on the application and every update of their own security measures at national level.
That information shall include details on the measures adopted to ensure only Eurofisc liaison officials referred to in Article 5 have access to CESOP and details on the measures adopted to ensure the encryption of the data transmitted by the Member States.
2. The Commission shall, by 30 April each year from the year following the date of application of this Regulation, inform the Member States of the measures taken for the security of CESOP.
That information shall at least indicate the following:
(a) the security incidents that occurred during the previous year and how they have been resolved;
(b) details on security measures adopted or changes to the existing security measures;
(c) an assessment of the existing security measures and whether the Commission considers any changes to those measures is needed.
Article 7
Roles and responsibilities of the controllers and the processor
1. Member States shall jointly be controllers, as defined in Article 4, point (7), of Regulation (EU) 2016/679, of CESOP. The responsibilities of the controllers of CESOP shall be determined in an agreement between the controllers, which shall set out the rules for the exercise of rights of the data subject and their duties in relation to the provision of the information referred to in Article 13 and 14 of Regulation (EU) 2016/679.
Member States shall be responsible for the following:
(a) drawing up the technical specifications of CESOP, and where necessary adapting them, for the Commission to be able to:
(a) establish and maintain CESOP pursuant to Article 1 of this Regulation;
(b) technically manage CESOP pursuant to Article 2 of this Regulation;
(c) ensure the interoperability of the national electronic systems referred to in Article 24b of Regulation (EU) No 904/2010 and CESOP pursuant to Article 3(3) of this Regulation;
(d) take the security measures pursuant to Article 6(2), first subparagraph, of this Regulation;
(b) setting out the rules and procedures for the selection of Eurofisc liaison officials who will have access to CESOP;
(c) answering requests from data subjects regarding the exercise of the rights laid down in Chapter III of Regulation (EU) 2016/679.
2. The Commission shall be processor, as defined in Article 3, point (12), of Regulation (EU) 2018/1725, of CESOP.
The Commission shall:
(a) process the personal data on behalf of the Member States on their instructions and keep documentation for those instructions;
(b) ensure the confidentiality of personal data when processed under this Regulation;
(c) provide the necessary technical infrastructure for Member States to respond to the requests referred to in paragraph 1, point (c);
(d) assist the Member States to comply with the obligations laid down in Articles 33 to 41 of Regulation (EU) 2016/679;
(e) ensure the deletion of all personal data stored in CESOP in accordance with Article 24c(2), of Regulation (EU) No 904/2010;
(f) make available to Member States all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by Member States or another auditor mandated by Member States, in full respect of Protocol (No 7) to the Treaty on the Functioning of the European Union on the Privileges and Immunities of the European Union.
Article 8
This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
It shall apply from 1 January 2024.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 6 April 2022.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 268, 12.10.2010, p. 1
.
(2) Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax (
OJ L 347, 11.12.2006, p. 1
).
(3) Council Directive (EU) 2020/284 of 18 February 2020 amending Directive 2006/112/EC as regards introducing certain requirements for payment service providers (
OJ L 62, 2.3.2020, p. 7
).
(4) Council Regulation (EU) 2020/283 of 18 February 2020 amending Regulation (EU) No 904/2010 as regards measures to strengthen administrative cooperation in order to combat VAT fraud (
OJ L 62, 2.3.2020, p. 1
).
(5) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(6) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
ANNEX
Electronic form for the transmission of data
|
Box N° |
Data Element name |
Article 243d |
Description |
Format example |
Mandatory |
Checks performed at transmission to CESOP |
||||||
|
1 |
BIC/ID reporting PSP |
(1), point (a) |
BIC as defined in Article 2, point (16), of Regulation (EU) No 260/2012 of the European Parliament and of the Council(1) or any other business identifier code that unambiguously identifies the payment service provider transmitting the data. |
BIC of the payment service provider providing the data. |
Yes |
Presence, syntactic check of the BIC |
||||||
|
2 |
Payee name |
(1), point (b) |
All names of the payee as available in the records of the payment service providers, including legal name and business name. |
Card acceptor name, Merchant name, Creditor name. |
Yes |
Presence |
||||||
|
3 |
Payee VAT/TIN |
(1), point (c) |
VAT identification number and/or any other national tax number of the payee. |
|
Optional Mandatory |
Syntactic check of the VAT numbers from EU Member States |
||||||
|
4 |
Payee account ID |
(1), point (d) |
IBAN as defined in Article 2, point (15), of Regulation (EU) No 260/2012 or, if not available, any other identifier, which unambiguously identifies and gives the location of the payee involved in the transaction. |
IBAN, card acceptor ID, Merchant ID, E-account identifier. |
Yes when funds are transferred to a payment account of the payee |
Presence, syntactic check of the IBAN |
||||||
|
5 |
BIC/ID Payee PSP |
(1), point (e) |
BIC or any other business identifier code that unambiguously identifies and gives the location of the payment service provider acting on behalf of the payee where the payee receives funds without having a payment account. |
BIC. |
Only when the payee receives funds without having a payment account |
Presence, syntactic check of the BIC |
||||||
|
6 |
Payee Address |
(1), point (f) |
All addresses of the payee as available in the records of the payment service providers (legal address, business address, warehouse address). |
Card acceptor street, Merchant address, account owner address. |
Optional Mandatory |
|
||||||
|
7 |
Refund |
(1), point (h) |
Any reference that the transaction is a refund and link to the previous transaction reported. |
|
If applicable |
Presence |
||||||
|
8 |
Date/time |
(2), point (a) |
Date and time of the execution of the payment transaction or of the payment refund. |
Purchase date, execution date, transaction created date. |
Yes |
Presence, syntactic check |
||||||
|
9 |
Amount |
(2), point (b) |
Amount of the payment transaction or of the payment refund. |
|
Yes |
Presence |
||||||
|
10 |
Currency |
(2), point (b) |
Currency of the payment transaction or of the payment refund. |
|
Yes |
Presence, syntactic check of the currency code |
||||||
|
11 |
MS origin payment |
(2), point (c) |
Member State of origin of the payment received by the payee. |
Payer country code. |
If transaction is a payment |
Presence, syntactic check of the country code |
||||||
|
12 |
MS Destination refund |
(2), point (c) |
Member State of destination of the refund. |
Country code of the refund’s beneficiary. |
If transaction is a refund under box 7 |
Presence, syntactic check of the country code |
||||||
|
13 |
Payer Location information |
(2), point (c) |
Indication of the information used to determine the origin of the payment or the destination of the refund. The details of the information shall not be transmitted to avoid identification of the payer. |
Payment service providers indicate that the location was deduced from
The ID itself (IBAN number, BIN number, address) should never be transmitted. |
Yes |
Presence |
||||||
|
14 |
Transaction ID |
(2), point (d) |
Any reference which unambiguously identifies the payment transaction. |
Acquirer Reference, transaction ID. |
Yes |
Presence |
||||||
|
15 |
Physical presence |
(2), point (e) |
Any reference which indicates the presence of the payer in the physical premises of the merchant when initiating the payment. |
Point of Sale (POS) Entry Mode |
If applicable |
Presence |
(1) Regulation (EU) No 260/2012 of the European Parliament and of the Council of 14 March 2012 establishing technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No 924/2009 (
OJ L 94, 30.3.2012, p. 22
).
Feedback