ISO 27001 Peppol Service Provider Certification Becomes Mandatory Worldwide
Brussels, 13 July 2026 – OpenPeppol’s Managing Committee (MC200) has decided that ISO 27001 Peppol service provider certification will become mandatory for every Peppol service provider worldwide from 1 July 2027. The decision replaces a patchwork of national security requirements with one internationally recognised baseline.
What the new requirement covers
ISO/IEC 27001 is the internationally recognised framework for information security management. It describes how an organisation systematically identifies, controls and continuously improves risks related to information security, and is typically verified by an independent certification body. With the MC200 decision, this framework becomes the common baseline for every certified Peppol Access Point, regardless of which country the service provider operates from.
Providers that are not yet certified have until 1 July 2027 to get their certification in order. Interim security requirements apply during the transition period, so the network does not suddenly lose providers who are still mid-way through certification. To officially operate as a Peppol Access Point, organisations must meet a fixed set of conditions: OpenPeppol membership, support for the Peppol Business Interoperability Specifications (BIS) and the Service Metadata Publisher (SMP), and now ISO 27001 certification as well.
The Netherlands was already ahead
For Dutch service providers, this is less of a surprise than it might seem elsewhere. The Netherlands Peppol Authority (NPA) has long required ISO 27001 certification for service providers, with an alternative route via an assurance report (Third Party Memorandum) prepared by an independent, registered IT auditor. That report must demonstrate that the service provider’s information security meets ISO 27001 requirements, even without a formal certificate.
Belgium has so far applied a more pragmatic framework, and Germany has accepted multiple standards side by side. Australia and New Zealand already required ISO 27001 for their local Access Points as well. The worldwide MC200 decision now brings these divergent national requirements together under one standard, giving internationally operating service providers and their clients more clarity and less regulatory fragmentation.
What this means for businesses and Peppol service providers
For finance managers and IT decision-makers selecting a Peppol service provider, ISO 27001 certification becomes an objective, verifiable selection criterion instead of an implicit expectation. Businesses currently working with a non-certified provider should ask about the certification roadmap and the timeline towards 1 July 2027, particularly in sectors where information security is also a contractual or supervisory requirement, such as financial services, government, and healthcare.
For service providers themselves, the decision means certification is no longer a voluntary competitive advantage but a hard condition for staying on the Peppol network. Providers that are already ISO 27001 certified, as was already common in the Netherlands, will need to change little in practice. Providers still starting out get roughly a year to complete the certification process, which is no small margin given that an ISO 27001 project often takes six to twelve months.
The measure also fits a broader trend: as Peppol e-invoicing becomes mandatory in more and more countries, the need for demonstrable, uniform security guarantees among the parties sending and receiving invoices on behalf of businesses keeps growing. An ISO 27001 Peppol service provider certification gives procurement and IT teams a benchmark that does not depend on a supplier’s size or reputation.
Businesses that want to check whether their current or future Peppol service provider meets the new security requirement can use this as an extra filter via the Peppol.nu comparison tool. More background on the requirements for becoming a certified service provider is available in the earlier article Becoming a Peppol Certified Service Provider. In short: anyone selecting an ISO 27001 Peppol service provider now, or following up on their current provider’s certification path, is not only ahead of the 1 July 2027 deadline but is also building a demonstrably more secure e-invoicing chain.






