CESOP Reporting: PSP & SaaS VAT Compliance Guide

Cross-border payment fraud costs the European Union (EU) billions in lost VAT revenue each year. To combat this, the European Commission launched the Central Electronic System of Payment Information, or CESOP. This data-tracking initiative has transformed how payment service providers (PSPs) like Stripe, Ayden, and traditional banks must report detailed quarterly payments to EU taxing authorities. 

While PSPs handle the reporting, their customers, such as e-commerce and SaaS companies, are the ones who are exposed to tax risk due to this new compliance measure. 

This guide helps PSPs understand their CESOP obligations and shows CFOs how to protect their companies from non-compliance penalties. 

What Is CESOP and What It Means for PSP Data Workflows and Tax Exposure

A New Era of Tax Transparency

CESOP has changed the game when it comes to EU cross-border payments. The system allows tax authorities to see the flow of payment and easily spot VAT fraud patterns that were previously invisible. 

For example, EU tax authorities can now spot when a payee receives significant cross-border payments but is not registered for VAT. All this data is managed in a centralized European database managed by Eurofisc, the EU’s anti-fraud network. This means member states can now share this payment intelligence instantly.

For PSPs, this means setting up new compliance systems. For companies receiving EU payments, it means your payment patterns are now transparent to tax authorities across all 27 member states. 

Which PSPs Are Impacted

The Payment Services Directive 2 (PSD2) states that the following PSPs are required to comply with CESOP:

• Credit institutions, such as banks
• Electronic money institutions
• Post-office giro institutions
• Payment institutions like Stripe and Ayden
• Small payment institutions (SPIs)

Any PSP operating in the EU must monitor cross-border payments. When a payee receives more than 25 qualifying cross-border transactions in a calendar quarter, the PSP must report all transactions for that payee, not just the transactions above the threshold. 

It’s important to note that the threshold applies per payee, not per account. So, if your business has more than one PSP account, they’re still required to report all of your transactions across accounts.

Why SaaS Finance Leaders Should Care

EU tax authorities use CESOP to match financial transactions against VAT filings. If your company receives 30 payments from German customers in a quarter but hasn’t registered for VAT, then expect contact from German tax authorities.

The system creates automatic discrepancy alerts. When payment data shows significant EU revenue but VAT returns show nothing, audits will follow. CFOs must work with their PSPs to understand exactly what data gets reported and ensure their VAT registrations align with payments.

For many companies, CESOP becomes the trigger for proper VAT compliance. The days of flying under the radar without registering ended when CESOP reporting began.

In-Scope Transactions and Triggers for Reporting

What Counts as a Cross-Border Payment

CESOP captures any payment where the payer is located in one EU member state and the payee is located either in another EU member state or outside the EU entirely. The key factor is the cross-border element.

In-scope transactions include:

• Credit card payments from EU customers
• Direct debits cross borders
• Wire transfers between member states
• Money remittances
• Any payment transaction covered under PSD2

Domestic payments within the same member state do not trigger CESOP reporting. For example, a Hungarian customer paying a Hungarian merchant is out of scope even if that payment is made with an international PSP.

The 25-Payment Threshold Rule

The 25-payment rule triggers CESOP reporting requirements. Payees with 25 or fewer cross-border payments in a quarter are not reported. But once a payee hits 26 cross-border payments in a quarter, then all payments, including the first 25, are reported to taxing authorities. 

PSPs track this quarterly on January 1st, April 1st, July 1st, and October 1st. Once the quarter ends, the payment counter resets. But once the reporting obligation is triggered, all payments for that quarter are reported, even if they occurred before the 26th payment.

PSPs must also be sure to aggregate all payments for a single payee, even if they have multiple PSP accounts.

Common Misunderstandings

Many assume that EU-to-EU transactions aren’t subject to CESOP reporting, but that's not the case. The only difference is that when both the payer's PSP and the payee's PSP operate in the EU, the payer's PSP gets relief from reporting.

However, intermediate PSPs in the payment chain don't get this exemption. If Stripe processes a payment between two EU entities but routes it through a non-EU processing center, Stripe still reports.

Another common misunderstanding deals with transaction count vs. monetary value. CESOP operates on transaction count only. Twenty-six payments of €1 each trigger the same reporting as twenty-six payments of €10,000 each

What Data Must Be Reported (and in What Format)

 Mandatory CESOP Data Fields

• Payee identification
  
  • Legal and trading name
  • Complete address including country code
  • VAT identification number (or tax identification number (TIN) if no VAT number exists)
• Payment details
  
  • IBAN or account identifier
  • BIC codes for international transfers
  • Individual transaction amounts, timestamps, and currencies
  • Originating member state of the payer
• Refund tracking
  
  • Refund indicators leading back to the original transaction 
  • Refund amounts and dates
  • Original payment reference numbers

Note that missing or incorrect data will lead to rejection.

File Format & Technical Requirements 

CESOP reports must be submitted in XML format. The European Commission provides an official XSD (XML schema definition) that PSPs must follow exactly. There’s also an official user guide to assist with formatting. 

It’s vital to understand that files must pass XML validation before submission. A single formatting error causes rejection of the entire quarterly report, so validation before submitting is required. Also note that the EU updates their technical specifications periodically. PSPs must monitor for changes and make sure they’re submitting reports in the most updated format.

Where to Submit the Report

Each PSP reports to the tax administration where it’s established or licensed. A French PSP reports to French authorities even if reporting payments involving other member states. 

PSPs with presence in multiple jurisdictions may be required to file in more than one country. Each country has its own submission portal, deadlines, and technical requirements. Note that some allow uploads through secure FTP while others may require manual submissions or have their own unique requirements.

Technical and Operational CESOP Reporting Challenges

Data Consolidation & Quality Assurance

Most PSPs run multiple payment systems. They may have one for cards, one for transfers and even a third for emerging payment platforms. However, they must consolidate this data into one format for CESOP reporting.

Due to potential data quality issues, PSPs should use automated validation to check for incorrect or missing fields before quarterly deadlines.

Real-time monitoring is one way to help catch issues early. Waiting until quarter end to discover problems can lead to late fees and penalties. Prepared PSPs build daily CESOP readiness dashboards tracking threshold approaches and data completeness.

Multi-Jurisdiction Reporting Complexity

Each member state interprets CESOP differently. For example, France might accept certain data formats that Spain rejects.

Deadlines different from country to country, too. Most states require filing by month-end following each quarter, but some allow extensions. Missing one country's deadline while meeting others creates compliance gaps that attract scrutiny.

Language requirements add another layer of complexity. Some authorities require local language submissions alongside English. Others demand specific national tax identifiers that don't exist in other member states.

Penalties and Audit Triggers

Non-compliance triggers automatic penalties ranging from €1,000 to €50,000 per quarter, depending on the jurisdiction and severity. 

Incorrect data is worse than late data. Submitting incorrect information can trigger a criminal fraud investigation, especially if patterns suggest deliberate VAT avoidance. PSPs can also become liable for user’s tax crimes if reporting negligence enables VAT fraud.

The EU uses algorithms to trigger audits. Sudden changes in payment patterns, missing data fields, or mismatches with other EU databases flag accounts for investigation. Once flagged, both PSP and payee face scrutiny across all EU operations.

How CFOs Can Coordinate With PSPs (And Why It Matters)

CESOP Reporting Is a Mirror to Your Sales

Although PSPs actually file the CESOP reports, the data reflects your sales. Every EU payment you receive becomes visible to tax authorities. If you’re processing 26+ payments per quarter, you’re in the system.

Tax authorities automatically match CESOP data against VAT filings. Any discrepancy triggers an investigation. If CESOP shows €100,000 in Bulgarian transactions but you haven’t registered for Bulgarian VAT, you can expect to hear from the Bulgarian tax authorities. 

The matching works both ways. Under-reporting VAT while CESOP shows higher payment volumes suggests fraud. Over-reporting VAT without corresponding CESOP data implies money laundering. Either triggers audits.

Validate Your PSP’s Reporting Setup

CFOs should audit their PSPs CESOP readiness. Ask questions like: 

• Are you capturing all required CESOP fields?
• How do you aggregate payments across our multiple accounts?
• What's your threshold monitoring process?
• Can you provide copies of CESOP submissions?

Don’t assume even the largest PSPs have this handled. Smaller PSPs or regional banks might still be struggling with implementation. 

Verify your business’s data accuracy. Ensure your PSP has your correct VAT numbers, legal entity names, and registered addresses. Any discrepancy between what your PSP reports and your actual filings creates audit risk.

Prepare for CESOP Audits Proactively 

Maintain your own cross-border payment records independent of PSP reporting. Track every EU payment received, including amounts, dates, and customer locations. This will become your audit defense documentation. 

Create quarterly reconciliations matching your records to expected CESOP reports. If you know you’ve crossed thresholds, ensure corresponding VAT registration exists before tax authorities come calling.

Consider preemptive VAT registration in high-volume member states. Better to register voluntarily than explain why CESOP shows unreported revenue. Voluntary compliance always receives better treatment than forced compliance.

CESOP Reporting Doesn’t Have to Be a Headache

Automated VAT Compliance at Every Step

‍Sphere’s AI-powered platform handles VAT calculation, registration, filing, and remittance across 80+ jurisdictions globally. When CESOP exposes your EU payment flows, Sphere ensures you're already compliant.

The platform monitors economic nexus thresholds in real-time. Before you hit VAT registration requirements, Sphere alerts you and initiates registration processes. No more surprises when CESOP data reaches tax authorities.

Sphere’s technology validates VAT numbers instantly, ensures correct tax rates, and generates compliant invoices automatically. Every transaction is audit-ready from day one.

CESOP-Ready Integrations and Data Support

Sphere integrates directly with major PSPs to track your payment flows. The platform validates that your PSP captures correct CESOP data fields and alerts you to any discrepancies before quarterly reports.

Our XML validation tools ensure your data meets CESOP schema requirements across all member states. We track format changes and update validations automatically, preventing rejection due to technical issues.

The platform maintains detailed payment logs that match CESOP reporting periods. When auditors request support for CESOP data, you have immediate access to transaction-level documentation. While businesses are not required to make CESOP reports, it’s vital to understand what your PSPs are reporting in order to ensure these values match and tax authorities don’t come around asking questions.

Reduce Risk Across PSP and Merchant Ecosystems

Sphere reconciles your actual payment data against VAT obligations, identifying gaps before they become problems. 

Our AI-powered platform continuously monitors regulatory changes across EU member states. When CESOP requirements evolve or new guidance emerges, your compliance processes update automatically.

Ready to simplify SaaS sales tax compliance?

Schedule a demo with Sphere today.

Book a Call

EU Tax Authorities Are Watching. Be Confident in What You Report

CESOP is the EU’s most aggressive anti-fraud initiative to date. Payment service providers now shoulder massive reporting burdens while e-commerce and SaaS platforms face unprecedented scrutiny of their cross-border revenues. The system makes VAT avoidance virtually impossible.

But CESOP also creates opportunity. Companies that embrace transparency and automate compliance gain a competitive advantage. While others scramble to explain payment discrepancies, compliant businesses operate without fear of audits or penalties.

Sphere makes cross-border VAT compliance simple, even as CESOP requirements grow more complex.