CESOP: What Payment Service Providers Need to Report

Last updated: March 2026

Introduction

CESOP reporting is a mandatory quarterly obligation for European payment service providers handling cross-border transactions above the 25-payment threshold – missing the deadline or submitting inaccurate data can result in supervisory action and penalties. If you work in payments or compliance at a European financial institution, CESOP likely sits on your regulatory checklist. For many payment service providers, it remains one of the less visible yet increasingly important reporting obligations under EU law.

CESOP (Central Electronic System of Payment Information) is an EU-wide system designed to collect information about cross-border payments. Introduced through EU legislative measures to support tax administration and combat VAT fraud across member states, CESOP has been operational since 1 January 2024, with the first reporting submissions due by 30 April 2024.

This obligation affects banks, payment institutions, e-money institutions, and other entities that process payments on behalf of customers. The reporting burden falls primarily on the PSP of the payee for intra-EU payments, and on the payer’s PSP when the payee’s PSP is located outside the EU. Understanding which transactions trigger CESOP reporting, what data flows, and when deadlines fall can mean the difference between smooth compliance and costly corrections.

For many institutions, CESOP reporting feels abstract – the data flows somewhere to national tax authorities, and few understand what happens downstream. Yet the mechanics matter significantly. Getting CESOP reporting right means understanding transaction qualification, the payee-focused threshold, data extraction, and XML formatting. Fall below the threshold for a payee and you report nothing for that payee. Miss a reporting deadline and you face potential administrative sanctions.

This article explains what CESOP is, who must report, what data flows, how thresholds work, and how to manage the obligation in practice.

Legal Basis and Regulatory Scope

CESOP reporting derives from EU Directive 2020/284, which amended Council Directive 2006/112/EC on the common system of value added tax (VAT Directive). The directive introduced new Articles 243a through 243d, creating record-keeping and reporting requirements for payment service providers.

Each member state was required to transpose the directive into national law by 31 December 2023, with application from 1 January 2024. Luxembourg transposed CESOP through the Law of 26 July 2023, published in the Official Journal on 2 August 2023. Other member states followed with their own transpositions, though the core rules remain harmonized across the EU.

The legal basis makes clear that CESOP is fundamentally a VAT-related initiative. The stated purpose is to assist tax authorities in detecting VAT fraud, particularly fraudulent transactions involving goods or services crossing member state borders. CESOP gives tax authorities transaction-level visibility into cross-border payment flows that traditional tax reporting may not capture.

In Luxembourg, CESOP is administered through the relevant tax authority responsible for VAT. PSPs must file quarterly CESOP data through a standardized portal. Understanding your member state’s specific implementation rules is essential for timely compliance.

What is CESOP? System Architecture

CESOP is not a reporting portal where you submit data directly to the EU. Instead, it is a centralized database operated by the European Commission. Payment service providers report to their national tax authorities. Those national authorities then transmit the data to CESOP in a standardized format.

Think of CESOP as an aggregation and analysis point. Data flows from millions of transactions across European payment systems, funneled through national tax authorities, and consolidated into a single repository. This repository allows Eurofisc liaison officers across the EU to cross-reference information, identify patterns, and investigate suspicious transaction flows indicating potential VAT fraud.

The system operates on a quarterly cycle. Each calendar quarter generates a separate CESOP reporting obligation, with a firm deadline of one month after quarter end:

• Q1 (January – March): due by 30 April
• Q2 (April – June): due by 31 July
• Q3 (July – September): due by 31 October
• Q4 (October – December): due by 31 January

These deadlines are set by the directive. Some member states may apply slightly different submission windows for their national portals, so always confirm with your local tax authority.

For institutions processing large volumes of cross-border payments, CESOP reporting can mean transmitting data on hundreds or thousands of payees per quarter. The scale depends on your customer base, payment corridors, and transaction patterns.

Who Must Report? Payment Service Provider Scope

CESOP reporting applies to all payment service providers as defined under the Payment Services Directive 2 (PSD2, Directive (EU) 2015/2366). This includes:

• Commercial banks and credit institutions
• Payment institutions (PIs) licensed under PSD2
• E-money institutions (EMIs)
• Post office giro institutions where they provide payment services
• Licensed money remittance service providers

The definition is broad. Any entity that provides payment services within the EU as defined by PSD2 may be required to report under CESOP rules. However, PSPs that only provide account information services or payment initiation services (without holding funds) are excluded.

Not all payment service providers have a CESOP reporting obligation in every quarter. The obligation is triggered only if the provider processes a sufficient volume of cross-border payments to the same payee. This is where the threshold becomes critical.

Who Reports: Payee’s PSP vs. Payer’s PSP

A key concept that many institutions initially misunderstand: the primary reporting obligation falls on the payee’s PSP, not the payer’s PSP.

The logic reflects CESOP’s purpose – detecting VAT fraud by identifying payees (sellers/merchants) receiving cross-border payments. The rules work as follows:

• Intra-EU payments (payee in another EU member state): The payee’s PSP reports. The payer’s PSP is relieved of the reporting obligation because the payee’s PSP is within the EU and will report.
• Extra-EU payments (payee in a third country): The payer’s PSP reports, because the payee’s PSP is outside the EU and will not report to CESOP.
• Intermediate PSPs: The payer’s PSP relief does not extend to intermediate PSPs in complex payment chains. If you are an intermediary in a multi-party payment chain, you may still have reporting obligations.

This distinction determines which PSP must actually submit the CESOP report. If you are a payee’s PSP receiving cross-border payments, you are the primary reporter. If you are a payer’s PSP and the payee’s PSP is in the EU, you are generally relieved – but must still count those transactions toward the threshold.

The 25-Payment Threshold: How It Works

CESOP reporting is not mandatory for every transaction. Instead, reporting is triggered by a threshold of more than 25 cross-border payments to the same payee within a single calendar quarter.

How the Threshold is Calculated

The threshold counts cross-border payments per payee, not per payer-payee combination. This is a critical distinction:

• If Payee X receives 30 cross-border payments in Q1 – from 30 different payers across 15 member states – the threshold is met. The PSP must report all 30 transactions.
• If Payee Y receives only 20 cross-border payments in Q1 from various payers, the threshold is not met. No reporting for Payee Y in Q1.
• If a payee has multiple accounts or identifiers with the same PSP, the PSP must aggregate across those accounts when it has knowledge that the identifiers refer to the same payee.

The quarterly calculation means thresholds reset each quarter. Transactions that fell short in Q1 do not carry forward to Q2. Each quarter stands alone for threshold purposes.

Important: All Transactions, Not Just the 26th Onward

Once the threshold is crossed for a payee, all cross-border transactions to that payee in that quarter must be reported – including the first transaction. The threshold is a trigger, not a starting point. You report everything for that payee once the threshold is exceeded.

Practical Threshold Monitoring

Since you can only know if the threshold is exceeded at the end of the quarter, PSPs must record all cross-border payments from day one. Many institutions implement automated systems to track cross-border payment flows by payee throughout the quarter.

What Gets Reported in CESOP?

Once you identify qualifying payees, CESOP reporting requires transmitting specific data points. Importantly, CESOP is payee-focused – the data reported is primarily about the payee (the recipient of funds), not the payer. The only payer information reported is the payer’s location.

Payee Information Requirements

The payee is the party receiving the payment – typically a seller, merchant, or service provider. Required payee information includes:

• Full legal name or natural name
• BIC (Bank Identifier Code) of the payee’s financial institution, if available
• IBAN or other unique account identifier
• Address (mandatory for the payee’s PSP; optional for the payer’s PSP)
• VAT identification number (where available)
• Other national tax identification number (where available and different from VAT number)

Payee identification presents practical challenges. For card payments, the payee may be identified by a Merchant ID rather than an IBAN. For digital wallets, the ultimate payee may be obscured behind a platform or intermediary. The CESOP rules require reporting what information is available to the PSP. If you cannot obtain a BIC or IBAN, you report the information you do have.

Payer Information

CESOP deliberately limits payer data to protect privacy. The only payer information reported is:

• The payer’s location – the member state where the payer is located (determined by the IBAN or other identifier)

No payer name, address, or identification numbers are reported to CESOP. This is by design – CESOP’s purpose is to identify payees (sellers) who may be evading VAT, not to track payers (buyers).

Transaction Details Requirements

For each qualifying transaction, report:

• Date and time of the payment or refund
• Payment amount and currency
• Member state of origin of the payment (where the payer is located)
• Member state or third country of destination (where the payee is located)
• Whether the transaction is a payment or a refund
• Unique transaction reference or identifier
• Information identifying the payment as initiated at the physical premises of the merchant (point-of-sale), if applicable

Refund handling requires specific attention. If a payee qualifies for CESOP reporting and processes refunds, those refunds must be reported separately with a refund indicator. The refund should reference the original transaction where possible.

Cross-Border Element and Scope Determination

The cross-border requirement is fundamental to CESOP reporting. A transaction qualifies only if the payer is located in one member state and the payee is located in a different member state or a third country.

Location is determined by:

• Primary rule: The IBAN or other unambiguous identifier of the payer/payee account
• Fallback rule: The BIC or other identifier of the PSP acting on behalf of the payer/payee

Domestic transactions – both payer and payee in the same member state – are excluded from CESOP, regardless of volume. This is an important scope limitation. If your customer base is predominantly domestic, CESOP reporting may not apply even at high transaction volumes.

Also excluded: payments from payers located outside the EU. CESOP only captures payments where the payer is located in an EU member state.

Reporting Across Multiple Member States

PSPs that provide payment services across multiple member states face additional complexity. You must report in each member state where you provide the relevant payment services, not just in your home member state. This may include:

• Your home member state (where you are established)
• Host member states (where you provide payment services via passporting)

For a Luxembourg-based PSP that has passported its license across the EU, this could mean filing CESOP reports in multiple member states simultaneously, each covering the transactions processed in that jurisdiction.

Filing Format: XML Schema and Technical Requirements

CESOP data must be submitted in XML format according to a technical specification published by the EU. The XML schema is defined by Commission Implementing Regulation (EU) 2022/1504 and associated technical documentation.

The schema includes several key elements:

• Header: Submission metadata including reporting entity BIC, reporting member state, reporting period, and submission timestamp
• Reported Payees: A repeating block for each qualifying payee, containing payee details and all reported transactions for that payee
• Transactions: Individual payment records nested under each payee
• Message characteristics: Whether this is an original submission, correction, or replacement

The schema is versioned. EU authorities publish updates periodically. Institutions must track schema changes and ensure their submission systems generate compliant XML against the current version. Validation tools are available through national tax authorities and the EU Commission. Before final submission, validate your XML against the schema to catch structural errors early.

CESOP Reporting in Practice: Step-by-Step Process

Step 1: Identify Reporting Scope

Determine whether your institution has qualifying payees. This requires categorizing payments by payee and cross-border status:

• Pull all cross-border payment transactions from your payment systems for the quarter
• Group by payee (aggregating across accounts where you know they belong to the same payee)
• Count cross-border payments per payee
• Identify payees exceeding the 25-payment threshold

Since you cannot know the final count until the quarter ends, you must record all cross-border payments from day one of the quarter.

Step 2: Determine Reporting Obligation

For each qualifying payee, determine whether your institution is the reporting PSP:

• If you are the payee’s PSP (the payee holds an account with you), you report
• If you are the payer’s PSP and the payee’s PSP is in the EU, you are generally relieved
• If you are the payer’s PSP and the payee’s PSP is outside the EU, you report

Step 3: Data Extraction and Mapping

Extract qualifying transaction records from payment systems. Data extraction must capture all required fields: payee identification, payer location, transaction details, and refund indicators.

Map your system fields to the CESOP XML schema. A field called “Recipient Name” in your system must be mapped to the payee name element in the XML schema. Consistent, documented mapping prevents data quality issues.

Step 4: XML Generation and Validation

Map transaction data into the CESOP XML schema. Validate the generated XML against the official schema. Fix validation errors before submission. Common errors include missing required elements, incorrect data types, and malformed character encoding.

Step 5: Submission and Record-Keeping

Submit the XML file through your national tax authority’s portal. Keep records of all submissions for at least three years, including submission timestamps, confirmation receipts, any error messages, and the XML files submitted.

Common Challenges and Solutions

Payee Identification Across Payment Methods

Traditional wire transfers provide clear payee bank account information (IBAN/BIC). But newer payment methods complicate payee identification:

• Card payments may show a Merchant ID but no IBAN
• Digital wallets may obscure the ultimate payee
• Platform-mediated payments may route through intermediaries
• Peer-to-peer payments may only capture a user ID

The regulations require reporting what information is available. You cannot manufacture an IBAN if your system does not capture one. Report what you have and document gaps.

Aggregation Across Multiple Payee Identifiers

A single payee may have multiple accounts or identifiers. If you know that two IBANs or an IBAN and a Merchant ID belong to the same legal entity, you must aggregate for threshold calculation. In practice, this requires robust payee matching logic. When uncertain, treat identifiers as separate payees – over-splitting is generally safer than incorrectly merging.

Marketplace and Platform Scenarios

Marketplaces raise questions about the actual payee. When a customer purchases through a marketplace:

• If the marketplace receives the payment and later remits to the seller, the marketplace may be the payee for CESOP purposes
• If the platform passes the payment through directly to the seller, the seller is the payee

CESOP rules focus on the party receiving the funds. Understanding your role in the payment chain determines what data you must report.

Multi-Member-State Reporting

PSPs operating across multiple member states via passporting may need to file separate CESOP reports in each jurisdiction where they provide payment services. This requires clear allocation of transactions to the correct member state and coordination of filing deadlines across jurisdictions.

CESOP as Part of the VAT Fraud Detection Framework

CESOP does not exist in isolation. It is part of a broader EU framework for VAT fraud detection and prevention. VAT fraud – particularly carousel fraud involving successive supply chains crossing member state borders – costs the EU billions annually. The EU Commission estimated the VAT gap at EUR 61 billion for 2021.

By collecting transaction-level payment data across borders, tax authorities gain visibility into suspicious patterns:

• Payees receiving high volumes of cross-border payments without corresponding VAT registrations
• Payment patterns inconsistent with declared business activities
• Unusual concentration of payments from specific corridors

As a PSP, you are not responsible for investigating fraud. Your role is to report the data accurately and on time. The data you report may be the evidence that uncovers VAT fraud in another member state.

Coming Soon: Template-by-Template Deep Dives

We’re building detailed, template-level guides for each reporting framework covered on RegReportingDesk. Whether you need a field-by-field walkthrough of the CESOP XML schema, field mappings, or reporting process flows, these guides are on the way. Bookmark this page and check back soon.

Frequently Asked Questions

What is CESOP reporting and when did it begin?

CESOP (Central Electronic System of Payment Information) is an EU reporting system requiring payment service providers to report cross-border payment data when a payee receives more than 25 cross-border payments in a calendar quarter. CESOP became operational on 1 January 2024, following transposition of EU Directive 2020/284. The first reporting submissions covered Q1 2024 and were due by 30 April 2024.

How does the 25-payment threshold work exactly?

If a payee receives more than 25 cross-border payments in one calendar quarter – from any number of payers – all transactions to that payee must be reported. The threshold is per payee, not per payer-payee combination. The PSP must aggregate payments across multiple payer accounts to the same payee. Each quarter resets independently.

Who actually files the CESOP report – the payer’s PSP or the payee’s PSP?

For intra-EU payments, the payee’s PSP reports. The payer’s PSP is relieved because the payee’s PSP is in the EU. For payments to third countries (outside the EU), the payer’s PSP reports because the payee’s PSP is outside the EU system. Intermediate PSPs in complex payment chains may also have obligations.

Do I report domestic transactions in CESOP?

No. Domestic transactions – both payer and payee in the same member state – are excluded, even at high volumes. Only cross-border transactions qualify. Payments where the payer is outside the EU are also excluded.

What payer data must I report?

Only the payer’s location (member state). CESOP deliberately limits payer data to protect privacy. You do not report payer names, addresses, or identification numbers. The focus is on identifying the payee.

When is CESOP reporting due?

One month after the end of each quarter: Q1 by 30 April, Q2 by 31 July, Q3 by 31 October, Q4 by 31 January. Confirm exact deadlines with your national tax authority.

Must I file in multiple member states?

If you provide payment services across multiple EU member states (e.g., via passporting), you must report in each member state where you provide those services, not only your home member state. This may require filing separate reports in multiple jurisdictions.

What format must CESOP data be submitted in?

XML format according to the official schema defined by Commission Implementing Regulation (EU) 2022/1504. Validate your XML before submission. Tools are available from the EU Commission and national authorities.

Key Takeaways

• CESOP is mandatory for PSPs when a payee exceeds the 25-payment threshold. If a payee receives more than 25 cross-border payments in a calendar quarter, the PSP must report all transactions to that payee.
• The threshold is per payee, not per payer-payee combination. Payments from any payer to the same payee are aggregated. This is a common misunderstanding – get it right to avoid under- or over-reporting.
• The payee’s PSP is the primary reporter for intra-EU payments. The payer’s PSP is relieved when the payee’s PSP is in the EU. The payer’s PSP reports when the payee is in a third country.
• CESOP focuses on payee data, not payer data. Only the payer’s location (member state) is reported. No payer names or IDs. This reflects CESOP’s purpose: identifying payees (sellers) for VAT fraud detection.
• Only cross-border transactions qualify. Domestic transactions are excluded entirely. Payments where the payer is outside the EU are also excluded.
• Reporting operates on a quarterly calendar with a one-month deadline. Reports are due within one month of quarter-end. Late filing carries administrative sanctions.
• PSPs operating across multiple member states must file in each jurisdiction. If you passport your payment license, you may need to file separate CESOP reports in multiple member states.
• CESOP supports VAT fraud detection. The system serves a legitimate tax administration purpose. Accuracy and timeliness matter for compliance and for the broader anti-fraud mission.

Disclaimer

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Sources and References

• Directive (EU) 2020/284 (amending VAT Directive) – EU directive introducing payment data reporting obligations for payment service providers https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32020L0284
• Regulation (EU) 2020/283 (amending Regulation 904/2010) – Establishes the Central Electronic System of Payment Information (CESOP) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32020R0283
• Commission Implementing Regulation (EU) 2022/1504 – Implementing rules for the electronic format and technical details of CESOP reporting https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R1504
• European Commission – CESOP Technical Information and Guidelines – Technical specifications, XML schema, guidelines, and FAQ for PSPs https://taxation-customs.ec.europa.eu/taxation/cesop_en
• Luxembourg Law of 26 July 2023 – National transposition of Directive (EU) 2020/284 https://legilux.public.lu/
• EC Guidelines for Reporting of Payment Data (November 2023) – Detailed operational guidance for PSPs implementing CESOP https://taxation-customs.ec.europa.eu/system/files/2023-11/Guidelines%20for%20reporting_V1.1_23.11.23.pdf
• EC CESOP Questions and Answers (November 2023) – Official FAQ addressing common CESOP implementation questions https://taxation-customs.ec.europa.eu/system/files/2023-11/Q&A%20-23.11.23_0