Peppol Validator

Peppol Access Points

The certified service providers that connect your business to the Peppol network. How they work, how they get certified, and how to pick one for sending and receiving e-invoices.

By Peppol Validator · Last updated

What an Access Point does

An Access Point is the certified entry and exit point to the Peppol network. It is the only thing that talks AS4 over the wire. Your accounting or ERP system hands it a document and the Access Point takes care of every step required to deliver that document to a recipient anywhere on the network: format conversion, validation, signing, encryption, recipient discovery, transmission and delivery acknowledgement.

The same Access Point handles the receiving direction. Inbound AS4 messages are decrypted, verified against the sender certificate, validated against the Peppol BIS Billing 3.0 schematron rules and forwarded to your back-office system in the format that system expects. The acknowledgement is sent back to the sender Access Point automatically.

You never have a direct connection to another company. Buyers and sellers only ever talk to their own Access Point. That is what makes the four-corner model work and what differentiates Peppol from traditional EDI: a single connection gives you reach to every other participant.

What happens when you send an invoice

  1. 1Conversion. If your accounting system does not output Peppol BIS Billing 3.0 directly, the Access Point converts the document into UBL 2.1 with the right CustomizationID and ProfileID for the use case (Billing, CreditNote, Catalogue, Order, DespatchAdvice).
  2. 2Validation. The document is checked against the EN 16931 (BR-*) and Peppol BIS (PEPPOL-EN16931-*) schematron rules. Country-specific rules (NL-R-*, DK-R-*, SE-R-*, NO-R-*, etc.) are applied if the seller or buyer is in one of those countries. Most Access Points will refuse to send a document that fails any fatal rule.
  3. 3Signing and packaging. The document is wrapped in an AS4 message, signed with the Access Point's Peppol production certificate and encrypted to the recipient's public key.
  4. 4Discovery (SML / SMP). The Access Point hashes the recipient's Peppol Participant Identifier and queries the central Service Metadata Locator. The SML returns the URL of the Service Metadata Publisher holding the recipient's metadata. The SMP returns the recipient endpoint URL, supported document types and public certificate.
  5. 5Transmission. The signed and encrypted AS4 message is transmitted directly to the recipient endpoint over HTTPS using the Peppol AS4 profile. The recipient Access Point sends back a signed receipt.
  6. 6Delivery and notification. Your Access Point records the receipt as proof of delivery and notifies your back-office system that the document was accepted.

On the receiving side the same six steps run in reverse. From the seller's point of view this all happens in seconds and is invisible.

How an Access Point becomes certified

A Peppol Service Provider is an organisation that has signed a Peppol Authority agreement and operates one or more certified Access Points. To get there, the organisation has to:

  1. Implement the Peppol AS4 transport profile and at least one BIS profile (Billing 3.0 is the most common starting point).
  2. Set up an SMP for the participants it onboards and integrate with the central SML.
  3. Pass conformance testing against an OpenPeppol-operated test endpoint, covering both sending and receiving directions.
  4. Sign the Peppol Authority agreement with the relevant national Peppol Authority and accept ongoing compliance obligations.
  5. Receive Peppol production certificates issued under the Peppol PKI and start exchanging documents on the live network.

The list of certified Service Providers is maintained by OpenPeppol and is publicly browsable. As a buyer or seller, the practical question is not whether your provider is certified (any provider that can transact on Peppol must be) but whether it supports the document types, country profiles and SLAs you need.

National Peppol Authorities

OpenPeppol is the international body that owns the specifications. National Peppol Authorities operate the network within their country: they certify domestic Service Providers, run the local Peppol policy, and represent the country in OpenPeppol governance. Examples include:

  • FPS Policy and Support, Belgium.
  • AgID, Italy.
  • Digdir, Norway (operates ELMA, the Norwegian participant register).
  • IMDA, Singapore (operates the InvoiceNow programme).
  • ATO, Australia.
  • MBIE, New Zealand.
  • DigiconAsia / NIA, Thailand.

As an end user you do not deal with these bodies. They sit between OpenPeppol and the Service Providers in your country. Their existence is what gives the network its legal and operational backbone, and what allows national mandates (like Belgium's January 2026 B2B obligation) to land cleanly on top of an international infrastructure.

How to choose a provider

For most businesses, the right answer is: do not choose an Access Point in isolation, choose accounting or ERP software that has Peppol baked in and use whichever Access Point that software ships with. The friction of running anything separate is rarely worth it.

If you do need to pick a standalone provider, the criteria worth checking are:

  • Certified Service Provider status. Listed on the OpenPeppol Service Provider directory, with active production certificates.
  • Document types supported. Billing (Invoice, CreditNote) is table stakes; Order, DespatchAdvice, Catalogue, OrderResponse if you need procure-to-pay.
  • Country profiles. If you sell into Norway, NL or DE, the provider must support the local CIUS and country-specific schematron rules.
  • SMP registration. Confirm the provider handles SMP entries on your behalf so that other senders can deliver to you without extra setup.
  • Validation. Pre-send validation against EN 16931 and Peppol BIS rules with a clear error report (so you do not bounce documents off the recipient).
  • Pricing model. Per-document, monthly flat, or bundled with your software. Watch for surcharges on the receiving direction.
  • SLA and support. Uptime guarantees, response times, support languages, on-call coverage during your business hours.

Validate before your Access Point ships it

Most Access Points will reject a Peppol document that fails any fatal schematron rule. Catch the issues yourself first with a free EN 16931 / Peppol BIS Billing 3.0 validator. No signup, no upload limit.

Validate my invoiceThe Peppol networkMandates by country

Frequently asked questions

What does a Peppol Access Point do?

A Peppol Access Point is the certified entry and exit point to the Peppol network. It accepts documents from your accounting or ERP system, converts them into the Peppol BIS Billing 3.0 format if they are not already, validates them against the EN 16931 and Peppol schematron rules, signs them, encrypts them, looks up the recipient via the SML/SMP discovery layer, and delivers them over the AS4 transport profile. On the receiving side it does the inverse: validates the incoming AS4 message, verifies the signature, decrypts, validates the document and forwards it to your back-office system. You never connect to another business directly. You only ever connect to your own Access Point.

Do I need a Peppol Access Point to send invoices?

Yes. The only way to send a document over the Peppol network is through a certified Access Point. You can either contract with a standalone Access Point provider, or use accounting / ERP software that includes one (Exact, Yuki, Billit, Teamleader, Octopus, SAP, Oracle, Microsoft Dynamics, Sage and many others either operate an Access Point or partner with one). Once you are connected, you can reach every other participant on the network without any further bilateral setup.

How does an Access Point get certified?

OpenPeppol publishes a Peppol Authority agreement and a set of technical specifications (the BIS profiles, the AS4 transport profile, the SML/SMP architecture, the certificate policy). To become a Service Provider, an organisation signs the agreement, implements the technical stack, passes a conformance test against an OpenPeppol-operated test environment, and is then issued production certificates. National Peppol Authorities (such as FPS Policy and Support in Belgium, AgID in Italy, Digdir in Norway, IMDA in Singapore, the ATO in Australia) carry out the certification within their jurisdiction.

What is AS4 in the context of Peppol?

AS4 (Applicability Statement 4) is the OASIS messaging protocol that Peppol Access Points use to exchange documents over HTTPS. The Peppol AS4 profile defines exactly which AS4 features are mandatory: ebMS3 messaging, two-way reliable messaging, signed and encrypted payloads, four-corner addressing. Every certified Access Point implements the same profile, which is what makes the network interoperable. As an end user you never see AS4 directly; it is what your Access Point uses behind the scenes.

What is the difference between an SML and an SMP?

The Service Metadata Locator (SML) is the central DNS-based directory that maps a Peppol Participant Identifier to the URL of the Service Metadata Publisher (SMP) that holds the participant's metadata. There is one SML for the entire Peppol network, operated by OpenPeppol. There are many SMPs, typically one per Access Point. When sending a document, your Access Point first queries the SML to find the right SMP, then queries the SMP to retrieve the recipient's endpoint URL, supported document types and public certificate. It then sends the document directly to that endpoint.

How do I choose a Peppol Access Point provider?

Most businesses do not pick an Access Point in isolation. They pick the accounting or ERP software that fits them and use whichever Access Point that software ships with or partners with. If you have to pick a standalone provider, the things to look at are: certification status (the provider must appear in the OpenPeppol Service Provider list), supported document types (Invoice, CreditNote, Order, DespatchAdvice, Catalogue), supported countries and country-specific CIUS (NL, DE, IT, NO, etc.), pricing model (per document, flat fee, included with software), SLAs and uptime, support for the receiving side and not just sending, and whether they handle SMP registration on your behalf.

Can I run my own Peppol Access Point?

Technically yes, if you are willing to implement the AS4 profile, run an SMP, sign the Peppol Authority agreement and pass certification. In practice, very few end-user businesses do this because the operational cost (certificates, SMP hosting, monitoring, conformance testing, ongoing spec changes) outweighs the saving versus contracting an existing provider. Most organisations that run their own Access Point are software vendors or large enterprises that operate it as an internal service or sell it on as part of their product.

What does a Peppol Authority do?

A Peppol Authority is the body that operates the Peppol network within a national jurisdiction on behalf of OpenPeppol. It certifies local Service Providers, signs Peppol Authority agreements with them, issues policy and technical guidance for that country, often runs a national SML or test environment, and represents that country at OpenPeppol level. Examples: FPS Policy and Support (Belgium), AgID (Italy), Digdir (Norway), IMDA (Singapore), the ATO (Australia), Digital Government Partnership (New Zealand), Mahkamah Agung in Indonesia. End users do not deal with the Peppol Authority directly; they deal with a certified Service Provider.