How you can join the Netherlands Peppol Authority (NPA)

You have to send your application to support end-users in the Netherlands, including the signed PEPPOL Service Provider Agreement, to the NPA by email: operations@peppolautoriteit.nl. The information you submit will only be used to process your application. The NPA has a privacy policy that we can send to you upon request.

The NPA evaluates your application and determines whether or not it will be processed.

The NPA may impose additional requirements to those of OpenPeppol and/or the Peppol Authority you are affiliated to. You can find all requirements in our Peppol Authority Specific Requirements (PASR). Besides the PASR requirements, we need additional information.

Please submit:

1. An ISO27001 certificate or a TPM (Third Party Memorandum)
2. Description of your End User Identification (EUI) process
3. A statement saying you will operate towards end-users in accordance to our PASR
4. Your endpoint URL(‘s)

Here's a more detailed explanation of the additional information you need to supply:

1. ISO27001 certificate or a TPM

ISO27001 is the global standard for information security. It details requirements for a documented Information Security Management System (ISMS) in the context of the organisation's overall business risks. The certifying organisation for your ISO certificate must be accredited by an International Accreditation Forum (IAF) member. The ISO certificate should contain the services offered as a Peppol service provider.

If your organisation is not yet ISO27001 certified, an assurance report created by a third party (TPM = Third Party Memorandum) may suffice. This report has to be compiled by a registered and independent IT auditor, and it must demonstrate that your information security complies with ISO27001 requirements and thus contains the ISO27001 controls.

2. EUI Process

The End User Identification (EUI) principle stipulates that you must verify the End User before acceptance and (as a minimum) yearly evaluate. Consequently, the NPA requests a process description detailing how the End User's identity will be confirmed and how data will be managed. The conditions for End User Identifications are outlined in article 3.3 of the OpenPeppol Internal Regulations (version 2.0.0 29 November 2023).

3. Statement

We require a statement confirming you will operate towards End Users from the Netherlands according to the conditions of the Peppol Interoperability Framework, and in particular our Peppol Authority Specific Requirements. This statement can be submitted via email or as a separate document. This statement is a crucial part of the process.

4. Endpoint URL

As per the OpenPeppol SLA, we monitor your services availability. Therefore, we need your Endpoint URL(‘s) for our monitoring tool.

If you have submitted all required information, the NPA will review the documentation. If you comply to all requirements, the admission process will proceed, and you will be notified by email. If the documentation does not meet the requirements, you will receive a notification by email explaining the reason(s). You will be asked to submit the necessary information again.