ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

— May 15, 2026 · 12 min read

OpenPEPPOL: 4-corner network architecture and European adoption

PEPPOL is not an invoice format. It is a four-corner exchange network with its own governance rules, X.509 certificates, global registry and certified access points. Understanding the architecture explains why this network, born from a 2008 pilot project, has become the backbone of European e-invoicing by 2026.

The PEPPOL project, from pilot to AISBL

PEPPOL — Pan-European Public Procurement Online — started in 2008 as a large-scale pilot co-funded by the European Commission under the ICT-PSP programme (Information and Communication Technologies Policy Support Programme). The initial consortium gathered twelve countries around a goal that looked simple on paper: allow a supplier established in one member state to bid for and invoice a public buyer in another member state without having to integrate manually with every buyer's national portal. The founding idea was therefore cross-border and aimed at public procurement.

The pilot ended in 2012. In September 2012, the international non-profit association OpenPeppol AISBL was founded in Brussels to take over technical governance. The Belgian non-profit form has a concrete consequence: governance is multi-actor by statute (member states, private operators, software vendors), and BIS (Business Interoperability Specifications) are published under an open licence. Headquarters are in Brussels, the administrative secretariat is run by a Norwegian operator (DIFI at the time, today Digdir).

In 2026, OpenPeppol claims close to 600 members and active participation of about twenty PEPPOL Authorities supervising local enrolment of access points. Governance operates through sector-specific work groups (Post-Award, Pre-Award, eHealth, etc.) that produce the BIS profiles.

The 4-corner model in detail

The PEPPOL architecture rests on four logical corners, numbered C1 to C4. Corner C1 is the business sender: the ERP application producing an invoice, a purchase order or a despatch advice. This corner is not directly hooked to the network: it hands its document to Corner C2 — the sender's access point — via a private API specific to the operator. This local connection is not PEPPOL- standardised: each access point chooses how (REST, SOAP, SFTP drop, Kafka queue).

Corner C2 is where the "regulated" network starts. This access point is a certified operator holding a PEPPOL certificate, signed by the PEPPOL CA (PEPPOL Authority Certificate Authority). It acts as a proxy for its sender, validates the document against the Schematron of the requested BIS profile, wraps it in the SBDH envelope (Standard Business Document Header) version 1.0 and pushes it via AS4 to Corner C3, the recipient's access point. This AS4 push follows the PEPPOL eDelivery profile based on OASIS ebMS 3.0, itself a SOAP binding of the ebXML Messaging Service.

Corner C3 receives the message, verifies the signature, returns an AS4 receipt (non-repudiation proof) and delivers the document to its final client, Corner C4 — the recipient's business application (ERP, invoicing platform, public accounting system). This "last-mile" delivery, like C1↔C2, sits outside PEPPOL normalisation.

This four-corner pattern has a strong practical effect: the business sender (C1) only needs to know its own access point (C2). It does not have to discover the recipient, nor negotiate capabilities: that is the role of the registry layer.

SMP, SML, the two-headed registry

So that C2 knows where to push a message bound to a given identifier, PEPPOL defines two registries. The SML (Service Metadata Locator) is a centralised DNS registry — one SML for the production community — operated by PEPPOL's technical authority. Its function is simple: given a recipient identifier in ICD format (for example 0088:5790000435906 for a Belgian GLN), it returns the URL of the SMP (Service Metadata Publisher) holding the detailed metadata for that recipient.

The SMP is a federated registry: each access point runs its own SMP for the recipients it serves. On that SMP are published, for every client identifier, the accepted capabilities: "I can receive BIS Billing 3.0 Invoices", "I can receive BIS Orders", and for each capability the target AS4 URL, the encryption certificate, and the last-updated date. The SMP is queryable over HTTPS REST; its specification is documented in the PEPPOL SMP technical BIS.

Full recipient resolution thus takes two steps: an SML call (DNS lookup) to find the SMP, then an HTTPS call to the SMP for the target access point. This separation decouples discovery from delivery and lets a recipient change access point without changing its identifier.

eDelivery, AS4 and the CEF building block

Transport between Corner C2 and Corner C3 uses PEPPOL AS4, a restrictive profile of OASIS AS4 itself based on ebMS 3.0. The PEPPOL profile pins several options: mandatory encryption via XML Encryption, signature via XML Signature with PEPPOL certificate, One-Way / Push messaging model only (no Pull in production), and Receipt mode in Non-Repudiation.

The PEPPOL AS4 profile is part of the eDelivery building block of the Connecting Europe Facility (CEF), a European Commission digital infrastructure programme. Concretely, any European public operator can rely on CEF eDelivery artefacts (notably the open source Domibus project) to build its own compliant access point. That pooling has drastically lowered the entry cost for a public operator — a ministry, a city hall, a social-security fund — onto the network.

BIS Billing 3.0 and sectoral profiles

Above transport, the network defines a catalogue of BIS (Business Interoperability Specifications). The best known is PEPPOL BIS Billing 3.0, the invoicing profile, based on UBL 2.1 and aligned with EN 16931. The dedicated PEPPOL page on ediverse covers business terms (BT-1 to BT-200+) and business rules (BR-XX, BR-CO-XX, BR-NN-XX).

Other BIS coexist. PEPPOL BIS Order Only 3.0 covers purchase orders in UBL Order. PEPPOL BIS Order Agreement 3.0 covers order responses (UBL OrderResponse). PEPPOL BIS Despatch Advice 3.0 covers despatch advices. More recently, the AISBL published PEPPOL eOrder & Order Response and is working on Post-Award post-payment profiles.

Outside the commercial space, PEPPOL Healthcare publishes eHealth profiles — notably for prescriptions and lab reports — reusing AS4 transport and the SMP registry with HL7 CDA or FHIR R4 documents as payload.

Country-by-country adoption

PEPPOL adoption is not uniform. A few key snapshots in 2026:

Belgium. Mandate for all public administrations since 2019, extended to a B2B mandate on 1 January 2026 (Law of 6 February 2024) for VAT-liable entities established in Belgium. PEPPOL is designated as the default transmission channel.

Germany. XRechnung, the federal standard, is a CIUS of EN 16931 and runs natively on PEPPOL. The B2B mandate phases in from 1 January 2025 (mandatory reception) with rollout across 2027–2028 (mandatory issuance, gated by turnover thresholds).

Netherlands. A pioneer: PEPPOL usage has been general for government flows since 2017. SimplerInvoicing, the Dutch profile, is a recognised CIUS of EN 16931.

Italy. Adopts a parallel model: the SdI (Sistema di Interscambio) has operated as a closed national circuit since 2014, but can receive and emit toward PEPPOL via an official gateway. The domestic format is FatturaPA, which is not a CIUS of EN 16931 but remains alignable.

France. The e-invoicing reform introduced by the 2021 ordinances sets up the PPF/PDP model (Plateforme Publique de Facturation, Plateformes de Dématérialisation Partenaires). The mandate timelines, postponed several times, currently mention September 2026 for mandatory B2B reception and September 2027 for issuance, but this calendar may still evolve. PEPPOL is cited as one of the exchange channels between PDPs.

Spain. The 2022 Ley Crea y Crece introduces a mandatory B2B e-invoicing regime; the implementing decree specifies a national Facturae format and PEPPOL transit for cross-border flows. Effective date depends on the official publication of the decree.

Norway, Sweden, Denmark, Finland. Nordic countries have been historically ahead — Norway has mandated EHF (a PEPPOL CIUS) since 2012 for government flows, generalised to B2B in 2024 — and form a test market for new BIS versions.

The economic role of access points

From a business stakeholder's perspective, an access point plays three roles. Compliance guarantor: it validates documents against current Schematron before submitting them to the network. Transport operator: it maintains the PEPPOL certificate, manages the AS4 tunnel, runs the SMP for its clients. SLA layer: it guarantees availability, retention and replay in case of incident. PEPPOL certification is annual, paid, and requires technical audits.

In 2026, roughly 250 access points are certified worldwide. The majors: Stedi, Pagero, B2Brouter, Ibanity, Tickstar, Tradeshift, and a constellation of local operators tied to national ERPs (Cegid, Sage, Visma…). At the edges, some SaaS vendors run their own access point for their own clients only — a "corner-1 in" model: the invoicing SaaS is also the access point.

A network that has held

The most striking lesson in 2026 is that the founding bet of 2008 — building a European private-law network capable of standing against strong national platforms — has held. PEPPOL has replaced no one: it has coexisted with the Italian SdI, the French ChorusPro, the German Bundesportal, and gradually become the common channel through which everyone transits — without anyone having tried to unify the national portals. The dedicated Foundations page revisits the technical building blocks in detail.

For anyone implementing in 2026, the technical plan fits in four lines: adopt an access point (rarely operate your own), conform your outputs to the relevant BIS profile, declare your identifiers on an SMP, and systematically test against the OpenPeppol validator — the latter point being covered by the Testing EDI pipelines page.