RKSV — certified cash registers and Belegerteilungspflicht
The Registrierkassensicherheitsverordnung (RKSV), in force since 1 April 2017, is the Austrian equivalent of the French "anti-fraud VAT" decree of 2016. Any cash register above certain thresholds must be tamper-resistant (Sicherheitsmodul), registered with BMF via FinanzOnline, and must issue a signed receipt + QR code on every transaction.
History — 3 waves 2016-2017
- 2015-2016 — adoption. BMF, under European pressure and following the 2014 "fiscal memory" report, launches the anti-cash-fraud package. BGBl II 410/2015 published December 2015.
- 1 January 2016 — wave 1. Requirement to use an electronic cash register (Registrierkasse) above the thresholds. Still without technical tamper-proofing. "Tolerance" phase.
- 1 July 2016 — Belegerteilungspflicht. Duty to issue a receipt for every cash transaction, by all merchants — not only those subject to the certified register obligation.
- 1 April 2017 — wave 2. Activation of technical requirements: certified Sicherheitsmodul, FinanzOnline registration, signed QR code. End of tolerance.
- 2018-2026 — stabilisation. No new structural wave. Few technical updates (RKSV-Novelle 2019, mobile compatibility, strengthened ECDSA signature).
Thresholds — who is concerned
- Cash register mandatory: business with annual turnover > €15,000 and cash turnover (Barumsatz) > €7,500. Both cumulative conditions.
- RKSV-certified register: any commerce subject to the cash register obligation must use a RKSV-conformant register (Sicherheitsmodul + FinanzOnline + QR code).
- Belegerteilungspflicht: duty to issue a receipt for all cash sales, without threshold. Concerns also small shops that don't have the register requirement (= they can keep a manual book).
- Extended scope: food retail, hospitality, hairdressing, taxis, kiosks, Volksfest markets. Exemption for mobile sales without fixed installation (Kalte Hand Regelung, § 131b Abs 5 BAO), up to €30,000 turnover.
- Out of scope: Bauernmarkt in open nature, tips, donations, social services without billing.
Belegerteilungspflicht — duty to issue a receipt
The Belegerteilungspflicht is a reciprocal duty:
- Merchant side: obligation to issue a receipt containing merchant name, address, date/time, amount, VAT rate, and — if RKSV register — signed QR code.
- Customer side: obligation to accept and to keep the receipt until leaving the premises (Belegannahmepflicht). Theoretically fineable, in practice never enforced.
- Goal: make every cash transaction traceable. The receipt and the signed register must let Finanzpolizei (fiscal police) reconstruct the sales journal on inspection.
Sicherheitsmodul + QR code
The technical core of RKSV is the Sicherheitsmodul — a cryptographic module (smartcard, HSM or cloud signing service) that signs every receipt:
- ECDSA P-256 signature. Each receipt receives a digital signature based on its data + hash chained with the previous receipt. Any retrospective edit breaks the chain.
- Mandatory QR code. The QR contains the full payload in compact form — protocol prefix, cash register ID, receipt number, timestamp, per-VAT-rate amounts, encrypted cumulative turnover, signature.
- Certified providers. A-Trust (RTR subsidiary), Globaltrust, Cybertrust — each Sicherheitsmodul comes from a provider registered with BMF.
- Data journal (DEP). The Datenerfassungsprotokoll journal contains all receipts of the fiscal year. Must be kept 7 years, exportable in normalised E132 XML format.
_R1-AT0_DEMO-CASH001_42_2026-05-19T15:24:31_18.30_0.00_0.00_2.70_0.00_AT1234567890_W3hWSjQ4UXBuVk8...
└─────┬─────┘└────┬────┘└┬┘└─────┬─────┘└──┬──┘└──┬──┘└──┬──┘└──┬──┘└──┬──┘└─────┬─────┘└────┬─────┘
│ │ │ │ │ │ │ │ │ │ │
protocol cash-ID rec# timestamp 20% 13% 10% 0% spec encrypted signature
prefix turnover SHA-256 FinanzOnline registration and monthly journal
- Initial registration: each RKSV register is registered on FinanzOnline ("Registrierkasse anmelden" form), with its serial number, manufacturer and associated Sicherheitsmodul.
- Start receipt (Startbeleg). First receipt issued after registration: amount €0, validated via FinanzOnline and the free "BMF Belegcheck" app. Confirms the signature chain is operational.
- Month-end receipt (Monatsbeleg). Issued on the last day of every month, amount €0, serves as time anchor.
- Fiscal year receipt (Jahresbeleg). Issued on 31 December, to be kept and validated before 15 February N+1 via Belegcheck. Central element of annual control.
- DEP export: every Finanzpolizei inspection requests DEP export. Certified registers offer E132-conformant export (structured XML + signatures).
Penalties — Finanzpolizei and fines
- Failure to use certified register: up to €5,000 fine per inspection (BAO § 51).
- Non-conformant QR code: €2,500 on average.
- Non-issuance of receipt (Belegerteilungspflicht): warning on first inspection, fine from the second.
- Characterised fraud: VAT + corporate tax reassessment + Strafzuschlag (penal surcharge) up to 200 % of the evaded amount.
- Activity suspension. On characterised recurrence, Finanzpolizei can order temporary closure of the establishment.
Common pitfalls
- Confusing Registrierkasse and RKSV register. Not every electronic register is RKSV conformant: Sicherheitsmodul certification + FinanzOnline registration are required.
- Forgetting the Jahresbeleg. Issuing but not validating via Belegcheck within deadlines triggers an automatic fine.
- Sicherheitsmodul shared between several registers. Possible (cloud mode) but requires explicit declaration. A module used outside declaration triggers inspection rejection.
- Poorly documented register migration. A software or hardware change requires an Außerbetriebnahme (deregistration) + new registration. Many neglect the deregistration step.
- Believing cloud registers are exempt. Cloud registers (Vectron, ready2order, Helloleo) are also subject to RKSV. They embed cloud Sicherheitsmodul signed via A-Trust.