Is Peppol really safe?

A bold title, perhaps even slightly exaggerated. First of allPeppol is significantly safer than email, but vigilance remains important. Even with Peppol. 

How secure is the Peppol network?

Peppol is a secure network for sending and receiving structured e-invoices.

All documents are transmitted in encrypted form. This means invoices cannot be intercepted or altered during transmission. Compared to email, Peppol is therefore undoubtedly a much safer way to exchange invoices.

However, security does not depend solely on the Peppol network itself.

The role of Access Points

To send an invoice via Peppol, a company must be connected through a certified Access Point (AP). These are the gateways to the Peppol network. There are currently 199 certified Access Points in Belgium. Each AP must go through a strict accreditation procedure before being allowed to register companies.

This accreditation process is crucial.

In theory, a malicious party could attempt to wrongfully register a company in order to send fraudulent invoices in that company’s name. That is why it is essential that Access Points:

  • Thoroughly verify the identity of the registering party through official databases (such as the Crossroads Bank for Enterprises – CBE)
  • Use secure identification methods (for example eID or itsme)

A registration process without proper identification may be user-friendly, but it significantly increases the risk of misuse.

Should you be concerned?

No — but you should remain vigilant.

Every transaction sent via the Peppol network is fully traceable. If fraud occurs, it can be detected relatively quickly. However, as with any form of invoicing, vigilance remains important:

  • Check whether the name and bank account number match what your banking app shows
  • Compare the bank account number with previous invoices
  • Be extra cautious with invoices you were not expecting

Peppol is secure, but no system is 100% fraud-proof.

What does Doccle do to enhance security?

Security is fundamental to Doccle. Our teams continuously work on strengthening protection and controls.

  • Secure Peppol registration via itsme

When a company registers for Peppol via Doccle:

  • The identity is confirmed via itsme
  • The itsme data is compared with the official data in the CBE

If the data matches, the registration is activated.

This ensures that only the legal representative can register the company. In exceptional cases where itsme is not possible, our teams perform a manual verification based on official documents of the legal representative. More info concerning the manual registration.

  • Strong account security

Equally important is securing your own account. A strong password is the minimum. Even better:

  • Log in via itsme or eID
  • Activate two-factor authentication (2FA)
  • Use biometric security in the mobile app (fingerprint or facial recognition)

Do you have two separate accounts (private and business)? Itsme can only be linked to one account. In that case, make sure to activate 2FA on your second account via Profile > Security. Log in to your account.

What can you do to protect yourself?

Especially during the early phase of e-invoicing, additional checks are wise. For incoming invoices, check both:

  • The PDF version
  • The XML version

Why?

An error in the automatic conversion from PDF to XML may result in discrepancies in amounts or data. This is usually not fraud, but a technical error. In Doccle, you can download and easily compare both versions. Make sure to do this particularly for:

  • New suppliers
  • Unexpected invoices
  • Situations where you have doubts

In summary

Peppol is a secure and strongly protected network for e-invoicing. Thanks to encryption and full traceability, the level of security is much higher than with traditional email invoices.

However, security is a shared responsibility:

  • Access Points must comply with the government-imposed Peppol regulations
  • Software providers must implement secure processes
  • Users must continue to review invoices critically

Doccle invests daily in additional security measures to further strengthen both ease of use and protection.

Frequently asked questions

  • Yes, an error in the conversion to XML can result in an incorrect e-invoice. This is not fraud, but a technical error. A correction is made via a credit note.

    Companies are identified by their VAT or CBE number. If you enter the wrong number, an invoice may end up at another company. Therefore, always check that an invoice is actually intended for your company.

  • In theory, yes. This can happen if a software application or access point does not perform sufficient security checks during registration.

    Because a company can register with multiple access points for sending purposes, a fraudster could misuse a company identity via a less stringent access point. That is why proper registration checks are so important.

  • Don’t have a Doccle account yet? Then create one first. Once you have an account, you can add Peppol yourself via the map on the home page or via the “Connections” menu. And then follow the next steps.

    Create your free account

  • What should I do if I receive a suspicious invoice?

    • Do not pay if you have any doubts.
    • Contact the sender.
    • If necessary, request a credit note.
    • An e-invoice is an official invoice. Corrections can only be made via a credit note.

    Do you think it is fraud? Report it via the reporting centre for businesses: https://meldpunt.belgie.be/meldpunt/en/welcome.

     

     

     

Peppol via Doccle

Doccle takes care of it for you: simple and affordable.

For both receiving and sending electronic invoices.

Register your company now