top of page
  • Ivayla Angelova

The European union introduces new requirements for payment service providers

On 18 February 2020, the Council of the European Union (Council) adopted a legislative package on the processing of payment data to strengthen the combat against value added tax (VAT) fraud in e-commerce. The package consists of two legal acts:

- Council Directive (EU) 2020/284 of 18 February 2020 amending

Directive 2006/112/EC as regards the introduction of certain requirements for payment service providers;

- Council Regulation (EU) 2020/283 of 18 February 2020 amending Regulation (EU) No 904/2010 as regards measures to strengthen administrative cooperation to combat VAT fraud.


The new regulations have been in force since 1st of January 2024 and are already enforceable. They create an obligation for payment service providers, established and operating in the European Union, to keep records of the payments they process and lists of the payees of the relevant payments. Another key aspect of the amendments is the creation of a central electronic payment information system - CESOP. In this system, the data to be collected will be stored and processed in order to improve the fight against tax fraud in e-commerce, which is growing steadily.


The aim of the system is to limit the administrative burden on payment service providers by collecting data using a harmonized standard template and limiting the data collected to what is necessary to identify sellers and to combat VAT fraud in e-commerce. No data on the purchaser (payer) is collected, except for the presumed Member State of origin of the payment, and data on the seller is collected only if he receives a significant number of cross-border payments.


·                    Which entities have an obligation to report to the CESOP system?


The reporting obligation is only applicable to payment service providers who are legally defined in Article 243a of Directive 2006/112/EC and who provide payment services in the European Union.


As regards the definition of what constitutes a payment service provider, Article 243a refers to the definitions given in Directive (EU) 2015/23664 (Second Payment Services Directive, or PSD2). Not all payment service providers covered by the Directive automatically fall under the obligation to transmit information to CESOP. In fact, the provision of Article 243a limits the scope of the reporting obligation to the following four categories of payment service providers:


- credit institutions, which cover, for example, banks licensed in Europe as well as European branches of credit institutions whose central head office is outside the EU and which provide payment services;


- e-money institutions, which cover all payment service providers delivering payment services through e-money, e.g. e-wallet providers and e-voucher/card providers;


- payment institutions, a final category that may cover all payment service providers that do not qualify for inclusion in any of the other categories listed in PSD2. It may include companies that provide payment services such as issuing credit/debit cards, accepting payment transactions, processing payments, initiating payments, platforms that provide payment services and act on behalf of the payer and payee;


- Postal institutions that service current postal accounts and provide payment services.


The Second Payment Services Directive added central banks and public authorities to this list, but these entities are not covered by the obligation to report information to CESOP as they do not generally provide payment services covered by regulation.

Although the definition of payment service providers is quite broad and covers most of the payment services market, it has to be seen in relation to the rules applicable to the payment services that fall within its scope. Indeed, not all payment services are covered by the reporting obligation. It is therefore possible that an entity qualifies as a payment service provider as defined in Article 243a(1) of Directive 2006/112/EC but does not provide any of the payment services subject to reporting. That payment service provider would then not be subject to the obligation.


·                    Which payments shall be reported?


There are several cumulative conditions for a reporting obligation to arise for payments made in the CESOP system.

1.        Firstly, it is required that the payment services rendered are provided in connection with cross-border payments. A payment is considered to be cross-border when the payer is located in one Member State and the payee is located in another Member State or in a third country.

2.        A reporting obligation arises only in the case where a payment service provider delivers payment services corresponding to more than 25 cross-border payments to the same payee during a calendar quarter. The number of cross-border payments shall be calculated on the basis of the payment services provided by the payment service provider by Member State and by identifier. Where the payment service provider has information that the payee has several identifiers, the calculation shall be made per payee.


·                  Territorial scope 

The new regulations are applicable to all countries of the European Economic Area (EEA), which includes all Member States of the European Union as well as Iceland, Liechtenstein and Norway.


If you have any questions regarding the requirement to report data to the CESOP system, please do not hesitate to contact us at


This publication is informative in nature and does not constitute legal advice or legal opinion.


bottom of page