As digital commerce continues to grow across borders, so does the challenge of keeping tax reporting transparent and consistent. To address this, the European Union launched the Central Electronic System of Payment Information (CESOP): a framework designed to combat VAT fraud in cross-border e-commerce.
Since 1 January 2024, payment service providers (PSPs) operating within the EU have been required to record and report cross-border payment data to their local tax authorities. This information is transmitted to CESOP, a central EU database that enables authorities to detect and prevent VAT evasion more effectively.
Now, in 2025/26, CESOP has moved from preparation to full implementation. With new technical specifications (such as XSD 4.03 and Validation Module v1.7.0) being rolled out across Member States, the focus is shifting from initial compliance to data quality, validation accuracy, and ongoing reporting efficiency.
For PSPs, this means CESOP compliance isn’t a one-time project – it’s an ongoing operational requirement that demands reliable systems, well-structured data, and strong governance to avoid reporting errors and regulatory scrutiny.
We’ll explore what CESOP is, who is subject to it, and how it affects EU payments and payment service providers in 2026.
Topics covered include:
- What is CESOP?
- Who needs to comply with CESOP?
- Which transactions are in scope for CESOP reporting?
- How is CESOP data reported?
- Operational and compliance implications of CESOP
- Broader impact on EU payments
- What should businesses do next?
What is CESOP?
CESOP – the Central Electronic System of Payment Information – is an EU-wide data exchange system created under Council Directive (EU) 2020/284 and Council Regulation (EU) 2020/283.
Its main goal is to improve transparency and traceability in cross-border payments, helping Member States identify VAT fraud linked to online sales and other international transactions.
Here’s how it works:
- Payment service providers (banks, e-money institutions, and payment institutions) must collect and report information on cross-border payments where the payer is located in one EU Member State and the payee in another country.
- Reporting applies when a payee receives more than 25 cross-border payments per quarter – a clear threshold designed to identify active sellers or merchants.
- The data collected is then sent to CESOP, where it’s stored, cross-checked, and analysed by tax authorities across the EU to detect patterns of VAT evasion.
Ultimately, CESOP is part of the EU’s broader strategy to modernise VAT reporting, close compliance gaps, and level the playing field for legitimate businesses across Europe.
Who needs to comply with CESOP?
If your business provides payment services within the European Union, CESOP likely applies to you. The reporting requirement covers all Payment Service Providers (PSPs) defined under the Payment Services Directive (PSD2) and will continue under the PSD3 and Payment Services Regulation (PSR) framework.
That means banks, electronic money institutions, payment institutions, and merchant acquirers – as well as retailers or marketplaces offering ‘in-house’ payment services – are all within scope. Even smaller PSPs operating under small payment institution exemptions (SPIs) may need to comply if their transaction volumes exceed the reporting threshold.
CESOP’s goal is simple but far-reaching: to give EU tax authorities clearer visibility into cross-border payments that may indicate undeclared VAT activity. To achieve this, PSPs must track, record, and report specific payment data every quarter.
UK-based and non-EU PSPs
CESOP’s reach doesn’t stop at the EU’s borders. UK-based PSPs and other non-EU providers that process cross-border payments involving EU payers or payees are also impacted. If you handle EU-originating payments, you’ll likely need to comply with CESOP reporting requirements through an EU entity or local representative.
The 25-payment threshold
The rules apply when a payee receives more than 25 cross-border payments per calendar quarter from payers in the EU. Once that threshold is reached, all transactions to that recipient during the quarter become reportable – not just those beyond the limit.
Why this matters
Even if your business processes a relatively low volume of cross-border transactions, it’s crucial to continuously monitor your status. Once you exceed the threshold or fall under the CESOP scope, compliance must begin immediately. Implementing scalable systems and internal checks now will help avoid compliance risks, penalties, or retrospective reporting headaches later.
Which transactions are in scope for CESOP reporting?
Not every transaction falls under CESOP – but for those that do, the reporting requirements are detailed and precise. The key factor is whether the payment is cross-border, meaning the payer is located in one EU member state, and the payee (the recipient of the funds) is located in another country – either inside or outside the EU.
In these cases, EU-based PSPs that process such payments must collect, store, and report specific payment information to their national tax authorities every quarter.
When reporting is required:
If a payee receives more than 25 cross-border payments in a single calendar quarter, PSPs must report data for all those payments – not just the ones beyond the threshold. This helps tax authorities identify potential VAT liabilities from frequent cross-border transactions.
When reporting is not required:
CESOP doesn’t apply to every cross-border transaction. There are key exceptions:
- If both the payer’s and the payee’s PSPs are based within the EU, the payer’s PSP is generally exempt from reporting.
- However, if there’s an intermediary PSP involved in the payment chain, that intermediary may still have reporting obligations.
- Domestic (same-country) payments, cash withdrawals, and purely internal fund transfers are not in scope.
What data must be reported:
The data that PSPs must report includes:
- Identification details of the payee (such as name, VAT or tax ID, and account number)
- The amount, currency, and date of each transaction
- The location of the payer and payee, often derived from IBAN or BIC codes
- The number and total value of cross-border payments per payee per quarter
This information is transmitted in a standardised XML format to national tax authorities, which then forward it to the European Commission’s CESOP database after validation.
How is CESOP data reported?
CESOP reporting is a structured, quarterly process designed to give EU tax authorities a clear view of cross-border transactions. Understanding how the data flows is crucial for compliance and avoiding penalties.
Step 1: Reporting to local tax authorities
EU PSPs with reportable transactions must submit their data to the tax authority in their home member state, as well as any host member states where they operate. The payer and payee locations are primarily determined via IBAN and BIC codes, ensuring payments are correctly assigned to the appropriate jurisdictions.
Step 2: Standardised format
To streamline reporting across the EU, all CESOP data must be submitted in a standardised XML format. The European Commission continuously updates these specifications – in 2025, PSPs should follow the latest XSD 4.03 schema and Validation Module v1.7.0. Using the correct format helps avoid errors and delays in validation.
Step 3: Data validation and quality checks
Once received, local tax authorities review the data for completeness and accuracy. If errors are detected – such as missing payee information, incorrect IBANs, or inconsistent amounts – PSPs must correct and resubmit the data promptly.
Step 4: Centralisation at CESOP
After validation, the information is forwarded to the central EU CESOP database, where it can be accessed and analysed by all relevant member states. This central repository allows authorities to:
- Detect patterns of potential VAT fraud
- Monitor high-volume payees and cross-border transactions
- Support fair and efficient taxation across the EU
Why this matters in 2025
With CESOP now fully operational, timely and accurate reporting is critical. PSPs must ensure:
- Systems can extract and compile data efficiently
- Data is clean, complete, and validated before submission
- Processes are in place to handle corrections quickly if validation fails
For PSPs, the message is clear: CESOP isn’t just a regulatory formality. It’s an ongoing operational responsibility that requires well-maintained systems, structured data workflows, and strong compliance governance.
Operational and compliance implications of CESOP
CESOP isn’t just a reporting requirement: it impacts PSP operations and compliance processes across the EU. Staying ready in 2025 means ensuring systems, data, and workflows are fully aligned.
- Data and systems: PSPs must capture, extract, and compile cross-border payment data in the required XML format, ensuring it’s accurate and complete.
- Validation and quality checks: Regular audits, automated rules, and clear processes for correcting errors help avoid rejected reports and regulatory scrutiny.
- Multi-country compliance: PSPs operating in multiple EU states must track reporting obligations in each jurisdiction and avoid duplicate submissions.
- Governance: Clear roles, documented workflows, and team training ensure CESOP obligations are met efficiently and consistently.
- Strategic benefits: Beyond compliance, CESOP-ready processes improve data quality, support fraud detection, and position PSPs for future EU digital finance initiatives like PSD3 and DORA.
Broader impact on EU payments
CESOP is a key part of the EU’s broader digital finance strategy, and its effects go beyond compliance. By centralising cross-border payment data, CESOP helps streamline operations, enhance transparency, and strengthen financial security across member states.
- Faster, more efficient payments: Clearer visibility into cross-border transactions enables smoother and more predictable payment flows, benefiting both businesses and consumers.
- Improved regulatory oversight: CESOP equips tax authorities with the data needed to tackle VAT gaps, reduce fraud, and maintain a fair, competitive market.
- Stronger financial sovereignty: By consolidating EU payment data and reducing reliance on external infrastructures, CESOP supports a more independent and secure European payments ecosystem.
In short, while CESOP introduces operational responsibilities, it also lays the foundation for a more efficient, secure, and transparent EU payments landscape – a win for regulators, PSPs, and end users alike.
What should businesses do next?
CESOP compliance is now an essential part of operating in the EU payments landscape. To stay ahead in 2025, businesses and PSPs should take proactive steps:
- Conduct a CESOP readiness assessment: Review current processes, data flows, and reporting capabilities.
- Map data sources and responsibilities: Identify where cross-border payment data resides and who is accountable for reporting.
- Review systems for extraction and validation: Ensure your platforms can generate accurate, compliant reports in the required XML format.
- Train compliance teams: Make sure staff understand CESOP requirements, workflows, and error-correction procedures.
- Consider partnering with compliant providers: Collaborating with payment providers like Brite can simplify reporting and ensure smooth CESOP compliance.
Taking these steps will help your business stay compliant, streamline reporting, and minimise operational risks – while positioning you to benefit from the EU’s evolving digital finance landscape.
Faster, smarter, and more secure with Brite
As a European Union Payment Service Provider, Brite records and reports transactional details for cross-border payments to local tax authorities. This is just one of the ways Brite ensures that its instant account-to-account (A2A) payments are not only fast but secure and that payment fraud is tackled.
If you want to learn more about Brite’s low-cost payment services, contact one of our experts today.
