French finance law 2025: End of the self-certification in terms of cash register software

I. The concept of cash register software

A cash register software or system is a computer solution integrating a specific functionality that allows the recording of payments received in return for the sale of goods or services. It is distinguished by its ability to memorize these receipts in an extra-accounting manner, that is, without automatically generating a corresponding accounting entry. Conversely, software that systematically and instantly triggers an accounting entry, without human intervention, does not fall under this definition.

All software or systems allowing the recording of customer payments, regardless of the method of payment (cash, checks, bank cards, transfers, direct debits, etc.), are affected by this obligation. This also includes software that can be accessed online or integrated into cloud platforms.

Since January 1, 2018, professionals subject to VAT using cash register software or system must ensure that it complies with the requirements of inalterability, security, preservation and archiving of data. This compliance must be justified by a certification issued by an accredited body or, until 2025, by a certificate from the software publisher.

In the case of multifunctional software (accounting, management, cash collection), only cash register modules are subject to this certification requirement, and not the entire software. Thus, the accounting and commercial management functionalities integrated into these software are not affected, unless they include a cash register or cash register function.

Specific devices concerned

Without this list being exhaustive, the following are subject to the security obligation:

• Regulated measuring instruments equipped with a payment memory device, such as scales used to determine the price of items based on their weight, as long as they also record payments.
• Automatic payment machines and order terminals authorizing payments in cash or via means other than bank cards.
• Vending machines for goods (drinks, snacks, etc.) integrating cash register functionality.

On the other hand, order terminals without a payment function as well as payment terminals alone are not subject to this obligation.

Special cases and exclusions

Some taxable persons benefit from administrative tolerance and are exempt from the security obligation, in particular:

• Merchants whose payments are processed exclusively by a credit institution subject to the tax authority's right of communication.
• Companies using European banking platforms complying with the automatic exchange of information obligations provided for in Council Directive 2011/16/EU of 15 February 2011.

Therefore, an e-commerce site that only accepts payments via an authorized banking institution may be exempt, while a merchant offering several payment methods (cash, checks, prepaid cards, etc.) remains subject to the obligation.

This exclusion does not cover certain platforms established outside France (Paypal for example).

Free software developed in-house

Software or cash register systems called “free” or developed in-house are also affected by the obligation to secure.

Free software is software whose users have the ability to modify and distribute the source code.

Software developed internally is designed by the subject himself, by a group company or by an external service provider.

In all cases, changes made to software that is already certified must not alter or compromise compliance with the conditions of inalterability, security, conservation and archiving of data related to payments. Thus, developments must not alter the functionalities of cash register software.

‍

II. Who is concerned?

The obligation to use software or a secure cash register system, in accordance with 3° bis of I of article 286 of the FTC, applies to persons subject to VAT, whether natural or legal persons, under private law or under public law, who carry out deliveries of goods or services that do not give rise to compulsory billing within the meaning of article 289 of the FTC (BOI-TVA-DECLA-30-20-30). This system concerns all sectors of activity as long as these taxable persons use software or a cash register system.

A. Exclusion cases

Excluded are:

• taxable persons carrying out exclusively transactions between professionals (B to B) are excluded from the scope of application, as their transactions must be invoiced.
• Conversely, taxable persons carrying out both transactions with professionals and transactions with individuals must comply with this obligation.
• A taxable person who voluntarily issues an invoice to an individual, although the regulations do not require him to do so, does not exempt himself from the obligation to secure his software or cash register system.

In accordance with 2 of II of article 286 of the FTC, the following are not subject to this obligation:

• Taxable persons benefiting from the basic franchise regime (article 293 B of the FTC);
• Taxable persons covered by the lump-sum agricultural reimbursement regime (articles 298 quater and 298 quinquies of the FTC);
• Taxable persons carrying out exclusively transactions exempt from VAT (bank, insurance, rental company exempt from VAT, etc.).

B. Special cases

For illustration,

• An individual selling goods or providing services via an online platform, facilitating the connection between sellers and buyers, may be subject to the obligation to secure cash register software or systems if he is qualified as a VAT payer.
• Companies mandated to manage cash receipts via software or a cash register system on behalf of another taxable person must use software or a system that meets the requirements of inalterability, security, preservation and archiving of data.
• Branches and subsidiaries of foreign companies established in France are affected by this obligation. However, foreign companies registered for VAT but not established in France benefit from administrative tolerance and are excluded from the system.

III. Data concerned by the security obligation

Cash register software and systems must ensure the recording and preservation of data relating to commercial transactions, whether sales of goods or the provision of services. This obligation covers all information related to the completion and monitoring of a transaction, including information that guarantees the integrity and traceability of recorded transactions.

Thus, the data concerned includes essential transaction information, such as:

o The number of the supporting document (ticket, invoice, note...),

o The exact date and time of the operation,

o The identifier of the cash register used,

o The total amount invoiced, all taxes included,

o Details of the products or services sold (description, quantity, unit price, amount excluding tax and applicable VAT rate),

o The method of payment used, whether the payment is immediate or delayed,

o Records of changes or corrections made to transactions.

In addition, software must also store data that ensures the traceability and reliability of records, in particular those intended for the creation of archives that comply with regulatory requirements.

Transactions carried out in test or training mode, via a simulator integrated into the software, must also be recorded and secured.

IV. Obligations and technical requirements

1. Data inalterability

The software must prevent any modification or deletion of recorded data without keeping a record. Any correction must be made through compensation operations (“plus” and “minus”), without direct alteration of the original data.

The guarantee of inalterability is based on:

• An access restriction preventing direct changes to validated data,
• A system for detecting alterations, by digital fingerprinting or chaining, proving that the data has not been modified since its initial registration,
• Detailed tracking of changes, including the precise timestamp of each correction.

2. Securing data

The software must protect the transactions recorded as well as the receipts issued. This protection aims to ensure:

• The recording and maintenance of all transactions, including changes to them,
• The impossibility of deleting data without trace,
• The use of reliable technical processes, such as the chaining of records or the electronic signature.

Particular attention is paid to test and training modes, which must be clearly identified to avoid confusion with real transactions.

3. Data Retention

All transactions, including their line-by-line details, should be retained for a minimum of six years.

The software must include:

• A daily, monthly and annual closure of registrations, making it possible to ensure accurate monitoring of operations,
• Secure archiving of data before any deletion to free up space,
• Maintaining cumulative totals, including the perpetual total, which should never be reset to zero.

Businesses using centralized systems must ensure that data stored on a secure server is transmitted and stored.

4. Data archiving

The software must allow data to be archived on a periodic basis, at least annually.

The purpose of archiving is to:

• Freeze the recorded data, giving them a certain date,
• Guarantee their integrity, to ensure their compliance with the original records,
• Facilitate their access in the event of a tax audit, by providing readable files in open format.

The archives can be stored within the software or on a secure external medium (USB stick, external hard drive, remote server). Before any data is purged, a complete archive file must be generated.

V. What are the sanctions in case of non-compliance?

In the event of non-compliance with the obligations, a fine of €7,500 per non-compliant software or system is applied, with an obligation to comply under penalty of additional sanctions. The tax administration may require access to transaction records and archives at any time.

If a certificate is not produced, the operator has 60 days to demonstrate that he met the conditions provided for by law. It is therefore, henceforth, impossible in practice to be certified within this period.

VI. The impacts of the end of the self-certification

Until 2025, professionals subject to VAT using software or a cash register system could justify its compliance with legal requirements either by an individual self-certificate issued by the software publisher, or by a certification obtained from an accredited body (AFNOR or Infocert).

However, the 2025 finance law puts an end to this possibility of self-certification by the publisher himself. From now on, only certification issued by an accredited body will be recognized as proof of compliance.

1. Obligation for publishers to obtain certification from accredited body

Cash register software publishers must have their solutions certified by an approved organization. This certification will guarantee compliance with the requirements of inalterability, security, preservation and archiving of data imposed by the tax administration.

2. Risk for businesses using uncertified software

Taxpayers who still use software or a cash register system only certified by the publisher will have to ensure before 2025 that their solution has been certified by an accredited organization.

⚠️ Otherwise, in the event of a tax audit, the company is liable to a fine of €7,500 per non-compliant software or system, with an obligation to regularize.

3. Need for businesses to check the compliance of their software

Taxable persons must anticipate this evolution by taking the following measures:

• Check with their publisher if their software is in the process of certification and ask for an official certificate issued by an approved organization.

• If their software cannot be certified, consider migrating to a compliant solution before the requirement comes into force.

• Update contracts and commitments with publishers to ensure compliance with tax requirements is maintained.

4. Impact on software developed in-house or in open source

Businesses using software developed in-house or free software will have to either obtain certification for their own solution, or adopt software that is already certified to avoid any risk of non-compliance.

‍

‍