Do you want to provide Peppol services to end-users within the jurisdiction of the Netherlands? Then your organisation must comply with the Peppol Authority Specific Requirements (PASR) for the Netherlands.
Additional requirements for operating in the Netherlands
The NPA may impose additional requirements to those of OpenPeppol and/or the Peppol Authority you are affiliated to. You can find all requirements in our Peppol Authority Specific Requirements (PASR). The NPA may request the following information:
- An ISO27001 certificate or a TPM (Third Party Memorandum)
- Description of your End User Identification (EUI) process
- A statement saying you will operate towards end-users in accordance to our PASR
- Your endpoint URL(‘s)
Here's a more detailed explanation of the additional information:
1. ISO27001 certificate or a TPM
ISO27001 is the global standard for information security. It details requirements for a documented Information Security Management System (ISMS) in the context of the organisation's overall business risks. The certifying organisation for your ISO certificate must be accredited by an International Accreditation Forum (IAF) member. The ISO certificate should contain the services offered as a Peppol service provider.
If your organisation is not yet ISO27001 certified, an assurance report created by a third party (TPM = Third Party Memorandum) may suffice. This report has to be compiled by a registered and independent IT auditor, and it must demonstrate that your information security complies with ISO27001 requirements and thus contains the ISO27001 controls.
Note: the OpenPeppol Managing Committee decided in its MC200 meeting on 10 December 2025 to formalise ISO/IEC 27001 as the mandatory certification associated with global accreditation from 1 July 2027.
2. EUI Process
The End User Identification (EUI) principle stipulates that you must verify the End User before acceptance and (as a minimum) yearly evaluate. Consequently, the NPA requests a process description detailing how the End User's identity will be confirmed and how data will be managed. The conditions for End User Identifications are outlined in article 3.3 of the OpenPeppol Internal Regulations.
3. Statement
We require a statement confirming you will operate towards End Users from the Netherlands according to the conditions of the Peppol Interoperability Framework, and in particular our Peppol Authority Specific Requirements. This statement can be submitted via email or as a separate document.
4. Endpoint URL
As per the OpenPeppol SLA, we monitor your services availability. Therefore, we need your Endpoint URL(‘s) for our monitoring tool.
Please note: Are you not (yet) affiliated to OpenPeppol or another Peppol Authority? We have drawn up a guide to join the NPA (Dutch).
Want to be listed on peppol.nl and join the Dutch NPA service provider community?
Service providers that are already connected to the Peppol network and affiliated with OpenPeppol and/or another Peppol Authority can request inclusion in the overview of service providers on peppol.nl and in the Dutch NPA Service Provider Community. If you would like to be included, please contact us by sending an email to operations@peppolautoriteit.nl.