Background

The introduction of measures towards the modernization of VAT collection via combinations of transactional reporting and electronic invoicing in the EU started in Italy in 2019. Prior to that date, several countries including Hungary and Spain had already commenced their different journeys towards the rollout of electronic reporting in real-time or near-real-time. More recently, France, Romania and Poland followed in Italy’s footsteps, each with in practice varying requirements, while Greece has taken an altogether different route with its myDATA initiative.

EESPA welcomes the European Commission’s VAT in the Digital Age (ViDA) proposal, in which it suggests mandatory support by taxable persons and tax administrations of the European Norm, among other steps, to avoid further divergence of e-invoicing and e-reporting practices among EU Member States.

Against this backdrop, the French VAT reform has seen the introduction of specific security requirements for private sector service providers that want to act as so-called PDPs and that use third party hosting services. Datacenter vendors that are used to host PDP services must comply with the SecNumCloud standard – a certification label created by ANSSI (the French National Cybersecurity Agency) to improve protection for public authorities.

The French VAT reform service provider experience

The French tax administration (DG-FIP) has designed these requirements with the intention to be consistent with EU-wide efforts to ensure the use of sovereign cloud services in order to ensure the consistent protection of European commercial and personal data against undesired leakage to third countries. By design, the French regulations do not limit the datacenter used by a PDP to be based exclusively in France. They are allowed to be located anywhere in the EU. However, the practical challenge that has not surprisingly arisen, because of the nature of the certification requirements, is the fact that during the preparation phase for the French VAT reform only a limited number of datacenters, all based in France, could offer SecNumCloud compliant services. This meant that candidate PDPs without their own datacenters in France have de facto had to choose a local service provider in a market where demand for such certified hosting services was considerably greater than supply. When a legislative change of the magnitude of the French VAT reform is introduced, it is important that the authorities encourage plentiful supply of compliant solutions so that the market can transition to the new regulatory environment at the lowest possible cost and at the same time ensure fair market conditions. The limited competition on the supply-side of the market for SecNumCloud-certified hosting services in this phase of the establishment of PDPs results in high investment costs for PDP candidates, which potentially will be transferred over to the end customer, as well as potentially a more limited offering of PDP services than would have been the case without these circumstances.

EESPA recommendations

EESPA acknowledges that certification schemes such as SecNumCloud are a ticket to improved trust by businesses and administrations towards using cloud-based solutions.

While EESPA applauds and understands the DG-FIP’s efforts to take an EU-consistent approach in its security concept for PDPs, the French CTC rollout demonstrates that further efforts are needed to ensure that such good intentions translate to a situation whereby service providers from any EU Member State can in practice perform roles like PDPs in France across the EU. EESPA is concerned that the imposition of similar requirements under the laws of additional individual Member States, if insufficiently coordinated from a regulatory and certification perspective, could turn European data protection and security of business information from a laudable objective into an unnecessarily costly web of requirements for the hosting or processing of data for electronic invoices and similar tax-relevant documents.

Since one anticipated effect of the ViDA proposals is that many additional Member States will introduce mandatory B2B e-invoicing in the near future, EESPA urges the European Commission to work with Member States to agree a practical approach to the use of sovereign cloud hosting arrangement in a timely manner to ensure that the introduction of mandatory B2B e-invoicing and e-reporting across the EU can simultaneously meet legitimate EU data sovereignty and economic efficiency objectives.

Finally, EESPA members are concerned that the risk in relation to disharmonized approaches in the EU applies a fortiori to the international environment. The French and similar EU requirements for the use of sovereign cloud solutions respond to the fear of companies acting within the EU territory, and handling sensitive European business or personal data, being obligated to disclose such data due to the extraterritorial application of law from third countries that they are subject to. This creates a distinct competitive disadvantage for such companies within the EU territory. Whilst understandable as an immediate protective measure, the market distortion within the EU resulting from such protective measures could easily be used by non-EU countries to reciprocate with similar legislation that creates market entry barriers for EU-headquartered service providers. EESPA believes that these themes must urgently be discussed within the WTO or in bilateral relationships between the EU and third countries in order to avoid such negative effects on international trade in critical business automation services.

EESPA promotes an open, competitive global market for the seamless exchange of electronic invoices and other supply and demand chain data. Confidence in the underlying services is paramount but regulatory measures towards ensuring such confidence should consider the need for trade and commerce to maximize the benefits of electronic networks.